Abhinav Srivastav

BENGALURU: Police arrested on Tuesday a 31-year-old MSc graduate from IIT-Kharagpur and currently employed with cab aggregator Ola as a software development engineer for allegedly hacking and illegally accessing the server of the Unique Identification Authority of India (UIDAI).

Abhinav Srivastav, who, according to police, lives at Yeshwantpur in Bengaluru and hails from Kanpur in UP, is suspected to have stolen demographic data - details like address, mobile phone number, email address, age and sex - of at least 40,000 Aadhaar cardholders by hacking into the UIDAI database. Police said he has not accessed any biometric data like fingerprints and iris scans.

According to police, Srivastav accessed UIDAI data through the e-hospital application hosted by the government's National Informatics Centre (NIC). "Srivastav had developed an e-KYC verification mobile application and hosted the same on (Google) Play Store. Anyone clicking on this app would enter the e-hospital service, which is a central government scheme with Aadhaar-related details in it," they said.

Police described Srivastav as an employee of Ola at its Koramangala office. Srivastav is said to have become part of the cab aggregator when the latter acquired his company, Qarth Technologies, last year.

City police commissioner T Suneel Kumar said Srivastav told police that he earned Rs 40,000 through advertisements (on the app). "I had developed an Aadhaar e-KYC verification app and put it on Google Play Store. I got Rs 40,000 from ads shown on the app between January and July this year," Srivastav was quoted as saying.

However, police suspect there is more to the issue and said they will question him further. Srivastav was remanded on Wednesday in police custody for 10 days. He is booked under sections in which perpetrators are punishable with imprisonment up to three years and a penalty of Rs 10 lakh.

"We would like to question his motives for hacking and stealing the information and how he managed to access the server of UIDAI," additional commissioner of police (crime) S Ravi said.

Asked about the matter, an Ola spokesperson said: "Ola has neither commissioned nor is involved in any such activity. No such complaint has been brought to our notice."

Kumar said the arrest was made on the basis of a police complaint filed by an official with UIDAI.

Ashok Lenin, deputy director of the Bengaluru UIDAI office, had on July 26 filed the complaint with the High Grounds police station, accusing Srivastav of stealing information from the Aadhaar server. In his complaint, Lenin said, "The accused developed an app and accessed details on Aadhaar website without authentication and provided the same as e-KYC details. The data theft started on January 1, 2017 and went on until July 26."

A senior cybercrime police official said Srivastav has described himself as an ethical hacker in some online profiles. "His personal data shows that he had worked as a security researcher with Iviz Security and successfully explored vulnerabilities in internet payment gateways. Most importantly, one of his profiles says he "built tools for exploring Flash Vulnerability", which apparently received the appreciation of world-renowned hacker Jeremiah Grossman, the founder of web security firm WhiteHat Security. So we cannot take him or his works lightly," he said.

The case has been transferred to CID's cybercrime cell. The complaint has been registered under Sections 37 and 38 of the Aadhaar Act. The cybercrime police registered the case under Sections 65 and 66 of the Information Technology Act and Sections 120B, 468 and 271 of the Indian Penal Code.

