The nightmare is a reality in India. Reports from the country suggest that the government’s national ID system — Aadhaar, which holds personal data belonging to more than one billion people — was compromised.
On the slight positive side, the breach wasn’t down to hackers — at least on this occasion. The access hole was publicized after Indian newspaper The Tribune paid a man less than $10 in exchange for administration access to the database. Reporters from the paper were then given a username and password that allowed them to access information on any citizen by entering their 12-digit number.
It gets worse. BuzzFeed tracked down the seller down — a man going by the pseudonym Anil Kumar — and he told the publication that The Tribune deal was just one of eight transactions that he made that week. Each time he sold access to the database for 500 INR, around $8, using a contact he had on WhatsApp to get the requirement admin name and password.
“I paid Rs. 6,000 (approximately $95) to an anonymous person in a WhatsApp group I was a part of to create a username and password to the Aadhaar database for myself. I was told that I could then create as many usernames and passwords to access the database as I wanted. I sold each of them to make my Rs. 6,000 back,” Kumar told BuzzFeed.
In response to the situation, India’s ruling Bharatiya Janata Party took a line right out of President Trump playbook, calling reports of a breach “fake news.”
Notably, the term ‘breach’ doesn’t exactly fit the story here. Gaining access by paying a third-party isn’t really a breach, that’s just a hell of a messed up situation that can happen when a government uses a string of contractors to manage a highly-sensitive project.
Aadhaar isn’t mandatory in India, but a massive campaign to sign citizens up made it almost feel like it was last year. The ID system has crept into a range of services, such as school enrollment, ration disbursements and other national/government projects. Facebook even embraced it via a pilot that encouraged new users to provide details from their ID.
Facebook tested linking new accounts with Aadhaar ID details in December
Aside from the privacy issue of a government sucking up personal details — and this obvious security risk — there have been reports of tragedies at the hands of the program.
In October, the government denied that a girl in eastern state Jharkhand had died from starvation because her family was refused rations for failing to sign up to Aadhaar. In the same state, a second woman is said to have died in the same circumstances on Christmas Day.
Activists have pushed back on the program, which linked IDs to citizen’s mobile phone numbers, claiming that the data collection and usage is not constitutional. There have also been many warnings over lax security, including a flaw within the data capture process unearthed in July. Even given that backdrop, this week’s revelations have shocked the nation by showing just how easy (and cheap) it can be to gain access.
There’s lots of uncertainty in the confusion following these reports, but one thing is clear. India’s citizens deserve a better response from their government than an accusation of fake news.