tech2 News Staff

There is really no stopping irresponsible use of Aadhaar data.

In the latest incident, Aadhaar details of thousands of govt of Jharkhand employees have been exposed thanks to a lapse in security. Employees using the Aadhaar biometric attendance system to mark their attendance, have their details exposed as the servers holding this information have been without a password since 2014. The details available, for anyone looking in the right place, include Aadhaar numbers, names, job titles, email IDs and partial phone numbers. Around 166,000 employees' data has been left exposed according to the report in TechCrunch.

Representational image.

The photos that have been uploaded on this attendance system use the person's Aadhaar number as the file name. The central biometric database seems to be secure according to the report.

This is yet another case of government agencies using Aadhaar as a verification system, and not taking enough measures to secure the database online. According to TechCrunch, the site was found on a subdomain on the Jharkhand government's website. It looks like not enough security has been put in place, as the site has not only been indexed by Google but also the attendance record pages which have the Aadhaar numbers of the employees are visible.

Robert Baptiste, who goes by the handle @ElliotAlderson, claimed that with less than hundred lines of Python code, one could easily scrape the entire data from the site in batches and match employee photos with their Aadhaar numbers.

Neither UIDAI or the Jharkhand govt have commented on the matter. The UIDAI which uses its Twitter handle to 'debunk' allegations hasn't seen any update since the last 24 hours. According to the report, the website which has these details has been taken offline.

In the past, we have seen how the Unique Identification Authority of India (UIDAI) has not taken any criticism of lapses in Aadhaar security in the right spirit. We all know how UIDAI went after the journalist from The Tribune who exposed an Aadhaar racket which involved getting complete access to Aadhaar database for Rs 500. There have also been ridiculous claims by UIDAI on how the biometric database is protected by 5-foot-thick walls.

Here's a whole list of Aadhaar-related data breaches that have happened over the years. Whether it's the Aadhaar app, government websites (as was the case with the above story), third party leaks, duplication of Aadhaar cards, and so on, no clear measures have come forthwith.

Thankfully, after the massive 38-day hearing on Aadhaar, the Supreme Court bench ruled that using Aadhaar card for verification would not be compulsory for things such getting a mobile SIM card, bank enrollment, registering for exams such as NEET, JEE and while enrolling for admissions in universities, among other things. An Aadhaar number or proof of enrolment is however compulsory for individuals to avail certain government benefits, services, or subsidies being given by either the Centre or any of the states.