The Indian government found itself fighting new allegations of security issues surrounding its national citizen identification system, Aadhaar, over the past week.
As PaymentFacilitator.com has reported before, Aadhaar has previously been criticized for not taking appropriate security measures.
The unique identification numbers are part of the government’s shift toward a digital infrastructure, and payment authentication has been one of the ways they are used. The government-supported Bharat Interface for Money (BHIM) payment app, for example, includes a “Pay to Aadhaar” feature.
The recent uproar was caused by a media report of unauthorized access. Journalists from newspaper The Tribune reported being able to purchase a username and password enabling access to the database. A search on an Aadhaar number would reveal personal details associated with that number, the newspaper said.
The Unique Identification Authority of India (UIDAI), which administers the Aadhaar program, has tried to quell concerns, calling media coverage of the issue “incorrect and misleading.”
The incident was a misuse of a search interface that gave “designated personnel” providing government services the ability to look up certain demographic details, but no access to biometric data that criminals would need to commit fraud with the information they obtained, the agency said in its statement.
Access to the interface is traceable and those associated with the incident had been reported to law enforcement, UIDAI said in its initial statement. Because the newspaper was included in the report to authorities, the agency found itself defending accusations of targeting the media just a few days later.
The Economic Times reported that UIDAI has since taken steps to restrict the ability of government-designated agents to access data. Now they must use an individual’s biometric information – a fingerprint, for example – as authentication before seeing their record, the publication said.
While apparently not technically a breach in the hacker-gets-through-the-firewall sense, this latest event adds fuel to the fire for Aadhaar’s critics and serves as a reminder to payment facilitators and anyone else responsible for sensitive data: proper security requires a holistic view. You must be sure all of the doors and windows into the data are tightly locked.