Aadhaar data breach adds to privacy woes
NEWDELHI: A case of Aadhaar data breach has raised privacy concerns and raised questions over the security of biometric data in possession of the Unique Identification Authority of India (UIDAI). This comes at a time when the government is pushing for Aadhaar-based transactions to promote its digital mission and the apex court is poised to debate concerns on privacy.
The UIDAI filed a police complaint on February 15 against Axis Bank Ltd, business correspondent Suvidhaa Infoserve and esign provider eMudhra, alleging they had attempted unauthorised authentication and impersonation by illegally storing Aadhaar biometrics.
A UIDAI official, who requested anonymity, said that the three had been given time till February 27 to explain their action. The breach was detected after UIDAI found multiple transactions done with the same fingerprint. The official quoted above said that this would not have been possible without the core biometrics being stored and used without authorisation.
“This shows that the confidence with which the government said that Aadhaar is invulnerable is misplaced. If UIDAI is admitting the breach, that is to its credit. But it needs to be much more forthcoming to secure this sensitive data,” said Chinmayi Arun, director at the Centre for Communication Governance at National Law University, Delhi.
The breach was noticed after one individual performed 397 biometric transactions between July 14, 2016 and February 19, 2017. Of these, 194 transactions were performed through Axis Bank, 112 through eMudhra and 91 through Suvidhaa Infoserve.
Under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, copying Aadhaar data is a criminal offence and entails a three-year sentence and a fine.
According to Axis Bank’s spokesperson, a developer from Suvidhaa carried out four live Aadhaar-based authentications even when the testing phase for them was going on. One can only do live authentications after no errors are found out in this phase. “If something goes wrong in the testing phase, it has to be reported to us by Suvidhaa, they are accountable for it.”
“The testing was done by our in-house team but there has been no financial loss as of now. We will submit our report to UIDAI on Monday,” said Paresh Rajade, CEO of Suvidhaa.
eMudhra denied storing biometrics.