India's massive citizen database was reportedly breached

A reporter was sold admin access to the Aadhaar database for less than $8.

Bloomberg via Getty Images

India's government Aadhaar database, which holds personal information of over one billion Indian citizens, was allegedly breached, BuzzFeed News reports. Along with demographic info, the database also contains biometric data like fingerprints and iris scans. Indian publication The Tribune reported earlier today that it was able to access any registered citizen's demographics after it was granted admin access by an anonymous individual. In just 20 minutes, a reporter was given an administrator ID and a password after contacting the individual through WhatsApp and transferring what amounted to less than $8. Afterwards, the reporter was able to plug in anyone's Aadhaar number and get their name, address, postal code, photo, phone number and email. For an additional $5, the reporter was also able to get software that allowed them to print an Aadhaar card with anyone's number.

An officer with the Unique Identification Authority of India (UIDAI), the government authority that runs Aadhaar, initially told The Tribune, "Except the Director-General and I, no third person in Punjab should have a login access to our official portal. Anyone else having access is illegal, and is a major national security breach." However, it later released a statement denying a breach, saying The Tribune's article was "a case of misreporting" and assured that "there has not been any Aadhaar data breach." But in the same statement it admitted that The Tribune report was an "instance of misuse of the grievance redressal search facility," suggesting that sensitive data was in fact accessed. India's Bharatiya Janata Party, one of the country's two major political parties, called The Tribune's report "fake news."

BuzzFeed News got in touch with the person who allegedly sold The Tribune the admin access. The person said that they had paid around $95 for access themselves through a WhatsApp group and was told that they could then create as many usernames and passwords as they wished. Becoming an Aadhaar admin appears to allow you to create other admin accounts, a feature that seems like a fundamental flaw of the system. The person admitted to selling access to seven other people over the last week but said they didn't know they were breaking the law or compromising data security by doing so.

Many have been critical of the database, data from which has been exposed before, for its lack of security and this alleged breach has just added fuel to the fire. Meghnad S, spokesperson for India's online movement, told BuzzFeed News, "In its hurry to make Aadhaar mandatory and not ensuring data safety, the government has allowed shady vendors to exploit this data for their own gains."