French security researcher Baptiste Robert, who recently exposed vulnerabilities in TSPost disbursement portal and BSNL database, has now claimed that he found 20,000 Aadhaar cards in pdf and jpeg formats available on websites of both government and non-government agencies across India.
The Unique Identification Authority of India (UIDAI) has, however, dismissed his claims, stating that allegations of a fragile security system were irresponsible, just because unscrupulous elements put up some Aadhaar cards on the Net.
Robert, who blacked out details while posting samples, said, “I found more than 20,000 Aadhaar cards after a manual search in less than three hours. All cards are in public domain. No hacking is needed. It’s open to everybody.”
Another anonymous hacker claiming to be based in New York and using the handle ‘trollyacharya’ tweeted pictures on Sunday. “After a simple search query, I found an Aadhaar card dump of Andhra Pradesh government. Maharashtra government has also put up these key details. UP too has joined the race. They have uploaded Aadhaar, PAN cards and passports.”
UIDAI has replied to a TOI email query, stating — Publication of Aadhaar cards by some people have no bearing on UIDAI and not the least on Aadhaar security. Aadhaar as an identity document by its very nature needs to be shared openly with others as and when required and asked for. Aadhaar just like any other identity document, therefore, is never to be treated as a confidential document. Although Aadhaar has to be shared with others, it being personal information like mobile number, bank account number, PAN card, passport and family details should be ordinarily protected to ensure privacy of the person. If anybody publishes someone’s personal information like Aadhaar card, passport, mobile number, bank account number, he can be sued for civil damages by the person whose privacy right is infringed upon. In no way, it threatens or impacts the security of the system which has issued IDs or numbers. For instance, publication of someone’ bank account, PAN card or passport on the Net does not impact or threaten the security of the banking, income tax or passport system.
UIDAI further said, “People do often share personal information on Internet to some or other service provider or vendor to get services. This doesn’t impact the security of any ID system. Aadhaar is most trusted and widely held ID that one shows or presents when needed. People should freely use it to prove their identity. By simply knowing someone’s Aadhaar card, one cannot impersonate and harm him because Aadhaar alone is not sufficient to prove one’s identity, but requires biometrics to authenticate one’s Identity.” It is reiterated Aadhaar remains safe and secure and there has not been a single breach from its biometric database in last eight years, it added.