There is a touch of disingenuousness to the EPFO’s claim, made on Thursday, that there had been no leak of Aadhaar data from its servers. The ‘clarification’ from the state provident fund organisation came in the wake of social media revelations of a letter written by Chief Provident Fund Commissioner VP Joy to Dinesh Tyagi, CEO of the Common Service Centre, the government’s e-governance delivery arm, operating within the Ministry of Electronics and Information Technology. The leaked letter, whose provenance and authenticity have not been challenged by authorities, cited an Intelligence Bureau note of March 22 to place on record that hackers had exploited vulnerabilities in the technology platform for Aadhaar seeding of EPFO accounts and that “data had been stolen.” Responding with alacrity to the IB alert, Joy discontinued the remotely managed services provided by the Common Service Centre and directed the agency to “plug… the vulnerabilities” and implement “other suggestions” made by the IB.

The EPFO’s claim that “no confirmed data leakage has been established or observed”, therefore, runs counter to the Chief Provident Fund Commissioner’s unambiguous assertion of loss of data to hackers. Nor can EPFO subscribers derive any comfort from the statement of the Unique Identification Authority of India (UIDAI) noting that “this matter does not pertain at all to any Aadhaar data breach from UIDAI servers”. Such a ‘hands-off’ mindset points to an excessive concern with jurisdictional blame-shifting, and does not exactly hold out the assurance of infallible security.

Advertising Advertising

Unfortunately, the EPFO revelations are only the latest in a string of successive disconcerting breaches of Aadhaar-related data. In 2018 so far, there have been at least six other egregious instances of leaks and thefts of Aadhaar-related data. The sheer diversity of the platforms from which the data has been ripped off — from websites listing beneficiaries of rural jobs programmes to the public distribution system in Gujarat to the Bangaru Talli scheme in Andhra Pradesh to the Indian Oil Corporation’s systems incorporating details of Indane customers — suggests that callous disregard for data protection is a widely shared malaise across States, government departments and other agencies. Other than offering vacuous assurance about the security of the data with the government and with private agencies, the response of officialdom has been appallingly unsympathetic and out of touch with public sentiment. In its rush to create an all-pervasive Aadhaar-based ecosystem, the Centre has failed abysmally to provide even the most rudimentary failsafe procedures to protect the data in its care.