ZDNet is withholding details about the security lapse because it says Indian officials haven't done anything about it. Karan Saini, a New Delhi-based security researcher, spotted the vulnerability and says a data leak in a state-owned utility company's system is letting anyone retrieve information on any Aadhaar member. Names, Aadhaar identity numbers and bank information are all exposed.
ZDNet spent over a month trying to get in touch with Indian authorities and after receiving no replies, it contacted the Indian Consulate in New York. ZDNet spent two weeks describing the problem, but it remained unaddressed. It said the vulnerability was still accessible at the time of publication.
Aadhaar has experienced a number of other security issues in the past. Earlier this year, reporters at Indian publication The Tribune were able to buy an Aadhaar administrator ID and password from an individual through WhatsApp. It cost less than $8, took 20 minutes and they were able to enter any Aadhaar ID number and access that person's name, address, photo, phone number and email.
Aadhaar has attracted a lot of criticism for the repeated security lapses it has suffered over the years and the country's Supreme Court is currently assessing Aadhaar's constitutional validity.