Content, Asia Pacific, Breach, Channel markets

One Billion Personal Identities on India’s Biometric Database: For Sale?

Access to the personal identity details of some 1.1 billion Indian citizens housed in the world’s largest biometric database may be up for grabs to cyber crooks for as little as $8, a local investigative report claimed.

Here’s what we know so far (via the Tribune of India):

  • For 500 Indian Rupees (Rs), or $8.00, the Tribune bought access offered by an unnamed seller over the WhatApp messaging service for unfettered access to the identity details of 1.13 billion Indian citizens.
  • Once inside, the intruder could enter a person’s Aadhaar (or identification) number issued by the Unique Identification Authority of India (UIDAI) to residents that includes demographic information and biometric data such as fingerprints, iris scans and a facial photograph.

That’s not all the Tribune bought on the cheap: For another 300 Rs, or less than $5.00, the news agency received tools that allowed it to print the Aadhaar card after entering the individual’s identification number.

As is the case in most unauthorized gateway breaches, this one reportedly involved the use of a backdoor created by the UIDAI for thousands of government officials and other approved users. "The hackers seemed to have gained access to the website of the Government of Rajasthan, as the 'software' provided access to ',' through which one could access and print Aadhaar cards of any Indian citizen,” the Tribune said. “However, it could not be ascertained whether the 'portals' were genuinely of Rajasthan, or it was mentioned just to mislead," the report said.

As a result of the newspaper’s investigation, the UIDAI said it had initiated a police probe into the security breach. Still, the agency blamed the incident on “misuse” of a publicly accessible grievance-redressal search utility, Al Jazeera reported.

“UIDAI assured that there has not been any Aadhaar data breach,” officials said in a statement. “The Aadhaar data, including biometric information, is fully safe and secure.”

However, Sanjay Jindal, Additional Director-General, UIDAI Regional Centre, Chandigarh, appeared to acknowledge the breach. “Except the Director-General and I, no third person in Punjab should have a login access to our official portal,” he told the Tribune. “Anyone else having access is illegal, and is a major national security breach.”

Others saw the breach as inevitable. Kiran Jonnalagadda, co-founder of the Internet Freedom Foundation, said the intrusion posed a serious problem. Government officials with authorized access “were allowed to appoint other officials with the right to access data. It's no wonder someone down the chain went rogue and started selling access," Jonnalagadda told Al Jazeera.

Experts from the security community quickly weighed in on the breach’s significance. "Biometric data is exceptionally sensitive, and if it can be be digitized, it has the potential to be compromised,” said Malcolm Harkins, Cylance chief security and trust officer, in an email to MSSP Alert.

“Done wrong, a digital identification system is easier to compromise and manipulate in a larger scale and in a faster time. It shouldn’t be a surprise that a threat actor would want to gain access to the personal information of this many people,” he said.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.