Agents at several enrolment agencies are willing to part with demographic records collected from Aadhaar applicants for Rs 2-5.

Nandan Nilekani's trailblazing biometric ID system, apparently modelled on first FBI director J Edgar Hoover's massive central database of fingerprints, is in spotlight after reports of a cyber attack which leaked Aadhaar data. A report by The Tribune had claimed that one of its reporters paid just Rs 500 to an 'online agent' to access names, addresses, PINs, photos, phone numbers and emails of more than 1 million numbers.

However, an India Today investigation has revealed that the Aadhaar data breach racket is not merely online, but could be widespread with agents at several enrolment agencies willing to part with demographic records collected from Aadhaar applicants for Rs 2-5.

Enrolment agencies are entities hired by the Registrars for enrolment of residents during which demographic and biometric data are collected as per UIDAI enrolment process, according to uidai.gov.in.

One such enrolment agency is Alankit Assignments Limited, located in Faridabad. "You can see for yourself," said Alankit's branch head Ishpal Singh when asked is this Aadhar data as he planked an entire file of 250 applicants on his desk.

YOUR CHOICE- SCAN THROUGH OR COPY DATA

"I can give you data of 15,000 applicants for Rs 30,000," a brazen Singh, who is the branch head of Alankit, told India Today reporters, who posed as businessmen seeking to expand their database of potential customers. He was ready to provide an applicant's name, address, birth date, mobile numbers and email for merely Rs 2.

Subsequently, Singh advised the India Today reporters to copy down every bit of information from his dossiers right there. "I will give you a bundle of 250 forms (application acknowledgements). I have records of 50,000 applicants. You can note down all the data."

The probe shows how Section 28 of the Aadhaar Act, which states that the UIDAI must ensure the security and confidentiality of identity information and authentication records, is brazenly flouted. "The Authority shall adopt and implement appropriate technical and organisational security measures, and ensure the same are imposed through agreements/arrangements with its agents, consultants, advisors or other persons," Section 28 further states.

PRIVACY GONE FOR A TOSS

Nilekani, the architect of Aadhaar, had vouched for its security last April. "It's a very, very secure system. The level of encryption that Aadhaar has is way above any other system today, including in the private sector. Plus, security keeps getting enhanced," he had said.

Another enrolment centre at Indirapuram, Ghaziabad, was willing to sell data of 4-5 lakh applicants. Senior official Ashish Gupta offered the database not only from this facility, but also from three others under his command in Delhi.

"I'll get the data on an Excel sheet," Gupta replied when asked if he could offer information about all the applicants in Indirapuram. He is ready to provide all this data for Rs3-5 per applicant.

An Aadhaar enrolment centre at Sector 10, Noida, was no different with the main agent, Sonu, demanding Rs 4-5 per applicant. "I have made 40,000 Aadhaar cards so far." He offered PDF copies of acknowledgements of applicant's information.

These agents are operating with blatant disregard for the Aadhaar Act. Section 37 of the Act says "intentional disclosure or dissemination of identity information, to any person not authorised under the Aadhaar Act, or in violation of any agreement entered into under the Act, will be punishable with imprisonment up to three years or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company)".

WHAT UIDAI CLAIMES

Meanwhile, the UIDAI has reiterated that Aadhaar data cannot be hacked.

A day after The Tribune reported breach of the unique ID records, the UIDAI insisted the system is fully equipped to deal with any leaks.

In a statement, the authority emphasised "there has not been any Aadhaar data breach. The Aadhaar data, including biometric information, is fully safe and secure."

Claims of bypassing or duping the Aadhaar enrolment system, it said, are totally unfounded. "Aadhaar data is fully safe and secure and has robust uncompromised security. The UIDAI Data Centres are infrastructure of critical importance and is protected accordingly with high technology conforming to the best standards of security and also by legal provisions."

But reports of data leaks triggered a strong political reaction from opposition leaders.

In a tweet, communist leader Sitaram Yechury demanded the government roll back its order to link Aadhaar with bank accounts.

The perils of making Aadhaar mandatory and linking it to bank accounts, as insisted upon by Modi govt, are visible here. Do we need more proof to stop this madness? https://t.co/9OEbitCmDO January 4, 2018

Congress leader Randeep Surjewala described the reports of data theft as a "mockery" of the citizens' right to privacy.