Over the past few years, India’s Aadhaar system – which grants citizens a unique ID and access to government services – has come under fire for overshooting its prescribed applications and lack of data security. It’s not out of the woods yet, as Huffington Post India reports that it’s discovered a software patch that could have compromised the software used to enrol Aadhaar users and allow anyone in the world to register an ID.

That’s worrying, because people rely on their Aadhaar IDs to receive services and benefits like subsidized rations, pensions, and scholarships. Fake IDs can allow people to scam the system and score these benefits, while placing an additional strain on government funds and machinery.

It could also lead to identity theft, leading to people being locked out of access to essential services, with little recourse for proving the authenticity of their IDs and getting back into these programs.

HuffPo found that the software used by enrolment centers – many of were run for profit by private citizens and companies, especially in rural areas in India – could be compromised by a $35 patch, so as to allow people to bypass the authentication processes that would let them enrol Aadhaar users.

It also made it easier to spoof the iris recognition tool used to authenticate new Aadhaar users: The patch weakened the recognition software’s checks so it’d accept photographs of people, instead of requiring them to be physically present for enrolment.

It isn’t clear how long this has been in use, and whether scammers can continue to take advantage of it now that the Unique Identification Authority of India (UIDAI) – which is in charge of the Aadhaar program – has terminated all contracts with external enrolment centers. It’s possible that this patch may have already been used to register numerous fake IDs.

The UIDAI has repeatedly asserted that the Aadhaar database hasn’t been breached, so it’s completely secure. But the fact is that it has several endpoints that could be vulnerable to tactics like this, and to others that previously allowed people to purchase a copy of anyone’s Aadhaar info for just Rs. 500 ($7), and allowed private citizens unrestricted access to Aadhaar data.

Clearly, it’s not a perfect system, and the agency needs to do better to secure Aadhaar for more than a billion users.

Head to Huffington Post India to read the full investigative piece, which includes more details on the ramifications of this vulnerability.

Read next: We don't need Elon Musk for an innovative tech industry