Here’s another security warning for Aadhaar
While Unique Identification Authority of India (UIDAI) has maintained its database is secure and there are no breaches of Aadhaar data from its system, security researchers warn that leaks are happening in third-party sites and it is important for the agency to ensure that its ecosystem adopts measures to keep data safe.
“Securing an entire ecosystem is more important than secure individual databases,” said security researcher Srinivas Kodali.
Over the weekend, technology publication ZDNet citing an Indian security researcher said that it identified Aadhaar data leaks on a system run by a state-owned utility company Indane that allowed anyone to access sensitive information like a name, Aadhar number, bank details. The leak was plugged soon after the report appeared.
UIDAI came out with a strong statement denying the breach. “There is no truth in the story as there has been absolutely no breach of UIDAI’s Aadhaar database. Aadhaar remains safe and secure,” the government agency said.
There have been no reports of any breach in the core database so far. However, it is the third-parties that have acted as weak links.
“The simple parallel that can be drawn is, though Facebook’s core database of users information was secure, the data leak happened through third-party developers and organisation like Cambridge Analytica that have allegedly misused it,” Kodali said.
In case of Aadhaar too, the allegations of breaches have not been on ‘Aadhaar database’ but rather at insecure government websites and third-parties with API access to the database. “In this aspect, the issue in Facebook and Aadhaar is similar. In both the cases, there was no breach of database, but it was third parties that acted as the weakest link. In both cases, it was a legitimate means of access through API that was open for abuse,” said Sunil Abraham, executive director, Center for Internet and Society.
UIDAI could take a leaf from Indian Space Research Organisation while handling data breach reports. The state-run space agency put out a note appreciating security researchers for their efforts. An email ID to report flaws is more important than summoning people regarding data breaches.
“The fear of criminal prosecution hanging over the heads of ethical hackers would not help us develop a robust and strong security architecture,” said Karan Saini, a Delhi-based researcher who first highlighted the Aadhaar leak at Indane.