New Delhi: The security of Aadhaar database was questioned again as a HuffPost India report claimed that Aadhaar Software data was hacked and biometrics, as well as personal information of over 1 billion Indians, was compromised. The software was apparently hacked by a software patch that disables security features of the software used to enrol new Aadhaar users. The report added that the software was available for Rs 2,500 and it allows unauthorized people to generate Aadhaar number from anywhere in the world.
Unique Identification Authority of India (UIDAI) dismissed the claims in a press release which stated that the claims lack substance and are completely baseless. The release further stated that certain vested interests are deliberately trying to create confusion in the minds of people which is completely unwarranted. According to UIDAI, claims made in the report about Aadhaar being vulnerable to tampering leading to ghost entries in Aadhaar database by purportedly bypassing operators’ biometric authentication to generate multiple Aadhaar cards is totally baseless.
UIDAI clarified that Aadhaar database is completely unfounded as UIDAI matches all the biometric (10 fingerprints and both iris) of a resident enrolling for Aadhaar with the biometrics of all Aadhaar holders before issuing an Aadhaar. It further stated that it has taken all necessary safeguard measures spanning from providing standardized software that encrypts entire data even before saving to any disk, protecting data using tamper proofing, identifying every one of the of operators in “every” enrolment, identifying every one of thousands of machines using a unique machine registration process, which ensures every encrypted packet is tracked.
Full measures to ensure end-to-end security of resident data, spanning from full encryption of resident data at the time of capture, tamper resistance, physical security, access control, network security, stringent audit mechanism, 24×7 security and fraud management system monitoring, and measures such as data partitioning and data encryption within UIDAI controlled data centres, are taken, read the UIDAI release.
The release also said that no operator can make or update Aadhaar unless resident himself give his biometric. Any enrolment or update request is processed only after biometrics of the operator is authenticated and resident’s biometrics is de-duplicated at the backend of UIDAI system and that it checks the enrolment operator’s biometric and other parameters before processing of the enrolment or updates and only after all checks are found to be successful, enrolment or update of resident is further processed. Therefore it is not possible to introduce ghost entries into the Aadhaar database.
Similar allegations were also made before the Hon’ble Supreme Court during a hearing of the Aadhaar case before the Constitution Bench which was then adequately responded by the UIDAI in the Hon’ble Supreme Court, said UIDAI
UIDAI completely dismissed reported claim of anybody being able to create an entry into Aadhaar database, then creating multiple Aadhaar cards. It said that some of the checks include a biometric check of the operator, validity of operator, enrolment machine, enrolment agency, registrar, etc. which are verified at UIDAI’s backend system before further processing is done.
If an operator is found violating UIDAI’s strict enrolment and update processes or if one indulges in any type of fraudulent or corrupt practices, UIDAI blocks and blacklists them and imposes a financial penalty up to Rs1 lakh per instance. It is because of this stringent and robust system that as on date more than 50,000 operators have been blacklisted, UIDAI added.
UIDAI added that it keeps adding new security features in its system as required from time-to-time to thwart new security threats by unscrupulous elements.
UIDAI has also advised people to approach only the authorized Aadhaar enrolment centres in bank branches, post offices and Government offices for their enrolment/updation so that their enrolment/updation is done only on authorized machines and their efforts do not get wasted because of rejection of their enrolments or updates.