Aadhaar data stolen by I-T Grids proves UIDAI's main database can be breached: Experts

In an FIR filed in Hyderabad, the UIDAI has claimed that the Aadhaar data of about 7.82 crore citizens have been stolen and the Telangana police believe that the data could have been used for voter profiling by the company IT Grids for the Telugu Desam Party. IT Grids, which developed TDP's Seva Mitra application, was at the centre of controversy for alleged data theft, in the run-up to the Assembly elections in Andhra Pradesh. Two days ago, the UIDAI case has also been transferred to a Special Investigative Team (SIT) looking into the IT Grids case.

Those working in the field of cybersecurity research now say that the IT Grids case is "unique," as the stolen data was stored in the same way the central Aadhaar database is stored. A similar observation was also made by the Telangana State Forensic Science Laboratory (TSFSL) in their report to the police.

UIDAI's central database breached?

According to a government response to a query in the Lok Sabha, 30 FIRs have been filed till 2017 for violations of the Aadhaar Act, 2016. But in this instance of a data breach by IT Grids, it is believed that the firm could have stolen the data directly from the State Resident Data Hubs (SRDHs) maintained by Andhra Pradesh and Telangana or from the Central Identities Data Repository (CIDR). The CIDR is the central database of Aadhaar that contains the biometric data, the very same database the UIDAI claims to have been unbreachable.

The SIT of the Telangana police found Aadhaar data of 7,82,21,397 residents from the two Telugu states stored in hard disks. The data sets were stored in a "particular structural database," found TSFSL, after conducting a cyber forensics test on the disks.

The IT Grids firm was hired by the Telugu Desam Party  (TDP) to create an official app for the party named ‘Seva Mitra’. This app was used by the party to collect demographic data, caste, voting preference, on how many schemes the voter is a beneficiary to and other details. The case was filed by a data analyst T Lokeshwar Reddy, who TDP alleges is associated with the YSRCP, it's rival in Andhra Pradesh.

The SIT has so far revealed that the Seva Mitra App is suspected of using stolen voter information along with Aadhaar data of the state governments of Telangana and Andhra Pradesh for voter profiling, targeted campaigning and even deletion of votes.

The 'national security' threat

In the UIDAI’s FIR to the police, the TSFSL mentions that they found the aadhaar data stolen by IT Grids to be stored in a particular format, such as EID_NUM, UID_NUM, EID_NUM, etc.  

The UIDAI, in their police complaint, wrote, "The presence of EID_NUM raises a strong suspicion that the data could have been obtained either from Central Identities Data Repository (CIDR) or one of the State Resident Data Hubs (SRDH) aligned to CIDR."  

Anand V, a security researcher, believes this is the "the smoking gun" that debunks the UIDAI’s claims that their CIDR database cannot be breached. The researcher pointed at the findings made by TSFSL.

"Both the SRDH and CIDR were interlinked. Until the passage of the Aadhaar Act in 2016, the states used to get regular synchronized updates from the CIDR and this was officially acknowledged by the UIDAI Chairman J Satyanarayana. The reverse is also true till the Aadhaar Act was passed and possibly even after that," he added.

If both the SRDH and CIDR were interlinked, all the data for the schemes an Aadhaar holder has enrolled for, if updated in the SRDH, will also reflect in the CIDR. So if the data is stolen from SRDH, it is equivalent to the data being stolen from the CIDR, say, researchers.

The SRDHs for the states were built with the aim of improving administration and to ensure better-targeted delivery of state benefits and schemes. Srinivas Kodali, a researcher on open data, said, “The UIDAI helped many states build these SRDHs but these databases are less secure and are now being misused. An attacker who wants the Aadhaar data doesn't need to attack CIDR, they need to just go after the third-party databases.”

The police investigation has so far revealed that IT Grids had hosted the Aadhaar database in the USA-based Amazon Web Services, a cloud service also used by US intelligence services, a violation of the Aadhaar act. The data of Aadhaar holders from other states are also suspected to be part of the stolen data. The UIDAI, in their complaint, has said this is a threat to national security as the data can be accessed and used by countries hostile to India or other international crime syndicates.

UIDAI’s refusal to acknowledge breach

The UIDAI had, in the past, refused to acknowledge that their database was ever breached. During the Supreme Court hearings on the constitutional validity of Aadhaar in 2018, the UIDAI had told the court that there has never been a single breach in the agency’s seven-year history.

UIDAI had claimed that reports on Aadhaar data leaks in the media were exaggerated. The agency had also claimed that the Aadhaar software was constantly being upgraded to prevent any leaks.  

When the court had raised concerns over the misuse of Aadhaar data for voter profiling, like in the case of the Cambridge Analytica controversy, the UIDAI had responded by saying, "The UIDAI simply does not have the learning algorithms like Facebook, Google to analyse details of users.”

However, according to the Telangana SIT, IT Grids allegedly has used the Aadhaar data along with other data sets to profile and even delete voters in Andhra Pradesh.

"Accepting problems with Aadhaar means the courts may not allow it to be used in day-to-day governance activities and this is one of the main reasons why UIDAI won't accept the problems," Srinivas said. The SC verdict upheld the legality of Aadhaar and restricted its use by private entities but allowed its use for certain government schemes, for PAN and filing tax returns.  

Rakesh Reddy Dubbudu Founder of Factly and a transparency campaigner is of the view that a data protection law is long overdue to reign in the misuse of Aadhaar, while some other researchers feel the law in its present draft form is inadequate.

"The reason a lot of people are against the idea of expanding Aadhaar to all domains is because of the misuse associated with it. In the wrong hands, Aadhaar becomes a tool for targeting. Today, it's being used for political use, tomorrow it could be something else," said Rakesh.

Rakesh is asking UIDAI to reveal data on who has gained access and downloaded the Aadhaar databases so far.  The UIDAI has told the Supreme Court that they are building a virtual ID to prevent the misuse of Aadhaar data but Rakesh asks, "What about the damage what has already been done? What about the data that's already out in the public domain and that people have downloaded? This data downloaded by IT Grids can also fall into the hands of many others," he added.