India’s biometric identification system Aadhaar, managed by the Unique Identification Authority of India (UIDAI), may have been breached by hackers, leaving personal information vulnerable, according to The India Tribune.

Journalists were reportedly able to buy credentials to access the details (name, address and postcode, photograph, phone number and email address) of all the UIDAI users, of which there are over a billion.

– Thinkstock

Definitely didn’t see this coming

For a mere Rs500 ($7.89), transferred using the Paytm platform via a seller found on WhatsApp, reporters were allegedly given a login and password to access the data.

In exchange for more money ( another Rs300, or $4.73), the journalists claimed they were granted access to software which allowed one to print an Aadhaar identification card.

The news follows on claims earlier this year that foreign firms may have been given access to the database for commercial purposes, an accusation which officials denied, stating that the information was stored away safely within dedicated UIDAI data centers.

Another incident saw the co-founder of Qarth Technologies, Abhinav Shrivastava, arrested for allegedly creating an app which gave individuals access to other peoples’ personal information, and in another case, Wikileaks published a report showing that the CIA may have had used the same biometric identity management services as UIDAI in the context of an international biometric data collection program.

Though the newspaper’s investigation is contested, the belief is that over six months ago, Ministry of Electronics and Information Technology (ME&IT) employees were contacted by members of the anonymous WhatsApp group and offered access to the database, giving them the opportunity to sell Aadhaar services to individuals illegally.

Because the software which enabled the printing of Aadhaar cards reportedly gave the journalists access to, the theory is that hackers may have had access to the state of Rajasthan’s government website.

The risks of such a breach are self-evident, as the personal details in the database offer enough information to enable phishing and identity theft. The situation could have been worse if the scheme was made mandatory, as planned by the current Indian government, and included citizens’ bank details.

Fake News

UIDAI representatives denied there was a data breach and in a statement denounced the newspaper for “misreporting” the facts, saying that any misuse of the search facility can be tracked, and stating that a First Information Request (FIR) “against people involved in the instant case” is under consideration.

It continued to say that “the grievance redressal search facility gives only limited access to name and other details and has no access to biometric details,” and that the Aadhaar number is not a secret number, but “to be shared with authorized agencies.” Finally, ignoring the Tribune’s report, it stated that “claims of bypassing or duping the Aadhaar enrolment system are completely unfounded.”

The current party in power, the the Bharatiya Janata Party (BJP), put out a statement on Twitter, calling the breach “fake news.”