The Indian government keeps track of citizens using a database called Aadhaar. The core identifier for each citizen is a twelve-digit number, like a Social Security Number in the United States. The database tracks biometric data, demographics, and more associated with this number. Participation is voluntary but a critical requirement for access to certain government benefits and social programs. The benefits of Aadhaar for Indian citizens have led to widespread participation, thus making Aadhaar one of the largest databases in the world, considering India's huge population.
Starting from 2017 and continuing to the present day, not just one, but a variety of attackers (some benevolent, others hostile) have exposed multiple weaknesses in government websites that allowed sensitive Aadhaar data to be accessed by anyone with a computer and a web browser. Foremost among these attackers are the French whitehat hacker Baptiste Robert and the lakh illegal users who formed a gang of anonymous scammers on WhatsApp.
As a result of these ongoing identity shenanigans, billions of citizens and foreign residents of India have been exposed to an increased risk of identity theft and fraud over the last few years. In this case study, we'll seek to learn lessons from the Aadhaar data leaks and breaches that can be usefully applied to large enterprises with an equally compelling interest in protecting sensitive data for users. In the years since the leaks began, the Indian government has responded to the attacks (and the subsequent complaints from constituents) with attempts to improve the privacy protections for this data, with mixed results. Nevertheless, businesses with large data sets can glean substantial wisdom from the lessons learned by the Indian government.
The World Economic Forum's (WEF's) Global Risks Report 2019 says, “The largest (data breach) was in India, where the Aadhaar Database, reportedly suffered multiple breaches that potentially compromised the records of all 1.1 billion registered citizens. For example, it was reported in January 2018 that criminals were selling access to the database at a rate of Rs500 for 10 minutes, while in March, a leak at a state-owned utility company allowed anyone to download names and ID numbers.”
Governments worldwide have proactively pushed their policies to build an efficient digital identity ecosystem in recent years. Such positive actions represent the desire by world societies to advance beyond their traditional and inefficient paper-based existence to highly integrated digital economies. One such concept was the Aadhar from the Government of the Republic of India. It is a unique 12-digit number provided to India's citizens to enroll their data into the Aadhaar database. The official body that looks out the operations of the Aadhaar venture is UIDAI (Unique Identification Authority of India). The Aadhaar system's installation includes biometric data components such as iris scans and fingerprints. A successful enrolment is confirmed when the nature of the biometrics captured meet certain conditions and when they pass the redundancy check, i.e., verification of the given biometrics with the existing data in the Aadhaar to avoid counterfeit enlistment data. As of November 2021, 1.3 billion Aadhaar has been produced at an expenditure of around 60 billion Rupees. Therefore, it should be secured because there will be a lot of sensitive data stored in this database.
The rewards associated with implementing such digital identity systems include public and, or commercial services accessibility for the more significant population of the country. For example, the Aadhar database holds personal Information and biometric data – like iris scans and fingerprints of more than 1.3 billion Indian residents. Anyone enrolled in the database can use their Information to open a bank account or apply for a Passport and even buy their car or book hotel stays. Even companies and organizations like Zomato or OLA can take advantage of the Aadhaar data to recognize their clients. However, there is also a possibility for substantial long-term risks about the utilization of digital identity systems; such risks must therefore be addressed and without fail.
Attack Autopsy - how the attackers got in
In 2019, the online newspaper TechCrunch asked French security researcher Baptiste Robert, better known by the hacker alias Elliot Anderson, to review the security of the Aadhaar website. Baptiste found that he could download the entire database in batches, including photo IDs, with a simple, 100 line Python script. You can view this exploit code yourself on Baptiste Robert's public GitHub repository.
However, the sad reality of today's world is that benevolent white hat hackers like Baptiste are far from the majority. The so-called 1 lakh illegal users were a pseudonym given to the gang of fraudsters on WhatsApp who shared hacking methods for leaking Aadhaar data from government websites for malicious purposes. The main criminal activity of this organization was a fraud, illegally stealing government benefits that were supposed to go to poor and vulnerable people living in rural communities. The gang members would compile the stolen data and make it available as a service, selling access to the highest bidder. This criminal behavior even led to the foundation of small businesses in rural areas where access to Aadhaar was inconvenient for locals with inadequate documentation.
How did they Breach?
A software patch, which could be purchased for a minimal amount of $35, permits unauthorized people from anywhere on the planet to create Aadhaar numbers. A patch is a collection of code implemented to change a PC program or update, fix, or improve it. This incorporates fixing bugs.
Over 70 subdomains under a Government of India website provided access to demographic-authentication services without requiring identity verification from the requester. The websites allowed users easy accessibility to an application programming interface, or API, in which anyone can enter an individual's Aadhaar number, name, gender, and date of birth, and be directed to a page that either reads "yes" or displays an error message, indicating whether the Information corresponds to a valid entry in the Aadhaar database. However, providing unrestricted access to API raised significant privacy concerns and exploited hackers seeking to uncover people's Aadhaar numbers. Moreover, it violated the Aadhaar Act, which governs India's nationwide digital-identity program.
Timeline of Breaches
In 2010, the UIDAI allowed private agencies around different parts of the country to enroll users in the Aadhaar system to speed up enrolments. In the same year, Bengaluru-based Mindtree won a contract to develop an official, standardized enrolment software - called the Enrolment Client Multi-Platform (ECMP), installed onto the thousands of computers maintained by these private operators. Instead of using a web-based system in which all software would be installed on the UIDAI's servers, and enrolment operators would have a username and password to access the system, software's were installed on each enrolment computer. However, web-based enrolment software for Aadhaar was not practical because many parts of the country had inferior Internet connectivity. Therefore, more features were added to the software that Aadhaar enrolment operators used to fool data security. For example, the operators needed to log in to the software by first providing their fingerprint or iris scan. Also, a GPS device was attached to verify the login location. However, in early 2017, a software hack bypassed these security features.
The culprits here are exploiting access rights of over 3 lakh village-level enterprise (VLE) operators. During the initial days of Aadhaar enrolment, the Ministry of Electronics and Information Technology (ME&IT) hired around 3 lakh VLEs under the Common Service Centres Scheme (CSCS) to enroll citizens into Aadhaar. In April 2017, such initiatives were banned, and only post offices and bank premises were allowed to be used for Aadhaar enrolment. These lakhs of VLEs suddenly became jobless, and to get some additional income; they started offering 'Aadhaar services' to edit or modify details of others. But some of them crossed the line and started offering full access to the Aadhaar database, using their IDs and passwords. This is a significant security lapse, as UIDAI should have terminated all such VLEs access from the UIDAI database.
Article 21 of the Constitution of India gives that "No person shall be deprived of his life or personal liberty except according to procedure established by law. " Notwithstanding, the Constitution of India does not explicitly perceive the right to privacy as a fundamental right. (Article 21 of the Constitution of India,1950).
The Data Privacy and Protection Bill, 2019:
India has had a lot of data privacy cases in the last few years, but they never had data protection and privacy law. There has been much debate regarding the topic in the last few years, and something had to be done urgently. So most recently, a Bill was acquainted in the Parliament of India to bring privacy under the law. This isn't the only Bill on data privacy and protection presented in the Parliament of India. In any case, the Bill is not the same as the past Bills as in it looks to make the ascent of a person for gathering and preparing of individual Information obligatory. This new Bill expresses that the individual will have their right and the last ideal to adjust or expel individual Information from any open and private databases. The individual must provide express consent and agree with assent to accumulate, use, and store any sensitive and individual data information.
This Bill does not only exclusively apply to private companies or corporate bodies. Still, he is also similarly relevant to state-run companies, government organizations, or other people following up for their benefit. Indeed, according to this Bill, even the meaning of a "third party" incorporates the open specialists. This symbolizes a sudden, backed up, and secured law from the current system followed by India's IT Act and 2011 Rules. Nonetheless, as for sensitive, individual Information, Section 20(2) gives that no personal or sensitive information will be prepared for some other reason separated from its planned use yet can be utilized by plans and social security laws. (Section 20(2)). Henceforth, this would say that the Aadhaar plot would approach the enrolled citizen's data.
Even though this Bill is considerably more by the positive GDPR standards, it will probably not be in power until the subsequent pending prosecution regarding the Aadhaar plan finishes up regarding the utilization of the citizens' sensitive Information in India. UIDAI was not up to the mark to protect the identity of the enrolled citizens of India. Throughout the last year, various occurrences of Aadhaar Information have been released on the web through government sites. The latest case was when an RTI question pushed UIDAI to uncover that around 210 government sites made the Aadhaar details of individuals with Aadhaar accessible on the web.
The IT Act:
After its changes in 2008, the IT Act is furnished with numerous arrangements obliging information security, obligatory protection approaches, and punishments to be forced on the rupture of such protection strategies.
This segment is crucial for the assurance of Information. It states that if a corporate body deals with personal information or has the information stored in a PC, they possess it. They carelessly handle the Information and harms or gain any individual information; such body corporate will be obligated to pay harms by method for pay, which will not surpass an aggregate of INR 5,00,00,000. UIDAI did not intentionally harm the individual's information, but they mishandled the Information of the citizens enrolled in the Aadhaar database. The hon'ble supreme court is still looking for more evidence and proof from the UIDAI and the opposition.
Section 66 C:
This section deals with data fraud. It gives that whoever, dishonestly or deceitfully uses the electronic imprint, passwords, or some other unique, distinctive verification part of some other individual, will be rebuffed with confinement for a term which may connect if three years and will be in danger to pay a fine of up to INR 1,00,000. UIDAI is still convincing that the biometric data is still safe in the database and has critical security so that nobody can look up to it quickly.
Section 72 of the Indian constitution states that any individual who has tied down access to any data report register book or any electronic record or any material without the permission of the individual owning the Information and from there on reveals that Information to any third party or any other individual will be punished with detainment for a term which may stretch out to two years, or with fine which may reach out to INR 1,00,000, or with both. UIDAI leaked the Information to the government websites, which did not have enough security to protect the data, but they still say that the biometric data is safe.
The most notable response from the Indian government to Aadhaar misuse has been legislative attempts to merge Aadhaar with the more secure National Population Register. The UIDAI (a government agency that manages Aadhaar) already shares data with the NPR. The Home Minister and the Minister of State for Planning have had meetings to work towards this goal. Yet, so far, this has remained only a dream.
The Indian national government also shut down local government websites that were too lenient in giving out Aadhaar data. For example, the Jharkhand state government website was forced to temporarily shut down and modify its security to more safely handle Aadhaar data. Before this, some bureaucrats had decided to openly sell Aadhaar data (according to India's Tribune newspaper), so steps in the direction of restricting local administrators marked a positive turn in the history of this program.
Mitigation steps to avoid future data breaches:
In a country as massive and diverse as India, creating a secure system for the entire population is a challenge. Aadhaar was never meant to verify identity, but its connection with the receipt of vital government aid made it an inevitable target for abuse. And with so many agencies having access to the data, attackers could ignore states that implemented access securely and focus all of their energy on the ripest, weakest targets. As a result, India has made positive changes, such as pushing service providers to avoid using Aadhaar as an identity document and improving data sharing between government agencies.
But the core lesson to learn from the leaks that this program has suffered over the last few years is that if data is tied to financial gain, even if you don't call the data a credential, you must treat it as one if you don't want to become the victim of crime. According to a study from Tokyo University's Department of Applied Research in Cyber Security, APIs and other services using non-secret data such as social security, last four digits of the credit card number, and even literal usernames as secret credentials lead to over 50 million US dollars in losses in 2020 alone. As we see crystal clear from the Aadhaar case, this needs to change if we hope to protect digital citizens from cybercrime.