The story was about how Aadhaar data was being sold for as little as Rs 500 – and instead of addressing the issue, the UIDAI is on the defensive.

Aadhaar data breach story UIDAI slammed for ridiculous FIR against reporter Aadhaar/Facebook
news Aadhaar Sunday, January 07, 2018 - 11:33

A deputy director of the Unique Identification Authority of India (UIDAI) has registered an FIR against The Tribune and its reporter Rachna Khaira for a story on alleged breach of Aadhaar data security, that was published in the newspaper recently. The FIR has also been registered against three people – Anil Kumar, Sunil Kumar, and Raj – who the reporter spoke to during the course of her investigation.

Reportedly, the "FIR has been lodged with the Crime Branch's cyber cell under IPC Sections 419 (punishment for cheating by impersonation), 420 (cheating), 468 (forgery) and 471 (using as genuine a forged document), as well Section 66 of the IT Act and Section 36/37 of the Aadhaar Act."

In an investigative piece published on January 3, 2018, Rachna reported that anonymous sellers over WhatsApp were allegedly providing unrestricted access to details for any of the more than 1 billion Aadhaar numbers created in India thus far. The Tribune for its reporting had "purchased" one such service.

The FIR states, "The above-mentioned persons have unauthorisedly accessed the Aadhaar ecosystem in connivance of the criminal conspiracy… The act of the aforesaid involved persons is in violation of (the various sections mentioned in the FIR)… Hence, an FIR needs to be filed at the cyber cell for the said violation."

Outrage over FIR

Many online users have since criticised UIDAI's move of filing an FIR against a journalist who exposed a vulnerability in its system, instead of addressing the issue.

Sunil Jain, Managing Editor of Financial Express, tweeted saying that had not the Tribune published the story, the UIDAI may not have even known about a possible breach.

Others have slammed the FIR calling it "ridiculous".

One was of the view that the organisation should in fact encourage ethical hackers to find flaws in the system.

The Tribune report

In the report, the reporter stated that she had to pay Rs 500 through Paytm, and in 10 minutes "an 'agent' of the group running the racket created a 'gateway' for this correspondent and gave a login ID and password. Lo and behold, you could enter any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted to the UIDAI (Unique Identification Authority of India), including name, address, postal code (PIN), photo, phone number and email."

Soon after, the UIDAI said that its search facility for grievance redressal may have been misused but denied any breach or leak of Aadhaar data.

The authority that collects and maintains biometric and other details for the unique ID holders called The Tribune report "a case of misreporting". But the newspaper stood by its story, saying the UIDAI claiming no breach of Aadhaar data "flies in the face of that".

(IANS input)