Indian data leak looks to have been an inside job

The government authority in charge of India's billion-records-and-counting Aadhaar biometric identity database, the Unique Identity Authority of India (UIDAI), has suspended 5,000 officials from accessing the system.

As we reported yesterday, a journalist for the country's Tribune newspaper wrote of her ability to access Aadhaar records for 500 rupees (US$8.75). The UIDAI responded by including the journalist, Rachna Khaira, in a criminal complaint.

At the time, it was unclear whether access to the system was offered by hackers who had compromised the system, or insiders misusing their accounts to set up Aadhaar gateways for those who could pay.

An unnamed UIDAI officer has now told The Economic Times that “all the privileges given to designated officers for access have been immediately withdrawn”.

The Economic Times also reported that access has been overhauled so that the Aadhaar system can only be accessed if the user has the biometric identifier of the individual whose data is being verified.

Under the previous system, Aadhaar staff could open an individual's file with their 12-digit ID number, a design that facilitated managing the 500,000 daily requests for changes to individuals' details.

Since filing its “First Incident Report” with the police, the authority has sought to explain that it wasn't trying to interfere with press freedom by naming Khaira in the document. Rather, it wanted her (and the Tribune) to help identify who was selling Aadhaar access.

The Tribune has published an e-mail it was sent by UIDAI along with its response.

The authority's two questions were whether anybody supplied Khaira with Aadhaar biometrics (fingerprint or iris scans), and how many (and whose) Aadhaar numbers the journalist was able to view.

The e-mail also said “You are requested to send your response to UIDAI on the sender’s email by 8th January, 2018 failing which it will be presumed that there was no access to any Fingerprints and/or Iris scan”, something that's touched a nerve at the newspaper.

In his response, Tribune editor-in-chief Harish Khare wrote that UIDAI's suggestion that it will assume there was no access to biometrics shows it's not taking the breach seriously.

“We feel sorry that the authorities are unable to appreciate that a breach has taken place”, Khare wrote, “Still, we are more than happy to provide you any such information and will assist UIDAI to maintain integrity of the Aadhaar data”.

Khare's response included an offer to meet someone from UIDIA to answer further questions. ®