Aadhaar has transformed from being the world’s largest biometric universal identity system to a privacy and security nightmare for the government as well as citizens. We recently highlighted how easy it was for criminals to commit crimes such as identity theft, financial fraud, and property, but it appears that Andhra Pradesh is the hotbed of Aadhaar-related data leaks and the state government’s lackadaisical attitude to web security is to blame for it.

Independent security researcher, Srinivas Kodali, shed some light on some major Aadhaar leaks that have been steadily trickling in from Andhra Pradesh over the past few months, which gives us a clear idea as to how the problem has only aggravated over time.

A thread on all the #Aadhaar data leaks from Andhra Pradesh. The first leak I reported about AP was part of my report on why leaks are happening. The AP government published details of 2 crore residents Aadhaar, bank account numbers, phone numbers as MS Access databases online pic.twitter.com/k7Nad3WZo1 — Srinivas Kodali (@digitaldutta) August 7, 2018

Kodali started with one particular incident that also received widespread media coverage when a government website published the Aadhaar details of 2 crore citizens. The leaked data contained information such as their Aadhaar number, bank account details, mobile numbers and phone numbers as MS Access files, that were openly accessible by anyone without any layer of encryption or security whatsoever.

The next major leak happened when the data of nearly 9 million workers employed under the NREGA rural employment scheme in the state of Andhra Pradesh was leaked. The leak on the AP government’s Benefit Disbursement Portal contained details such as the name of beneficiaries, Aadhaar numbers and Job Card numbers. Moreover, the Aadhaar data of NREGA beneficiaries was leaked by two different government portals, which gives us an idea of how easy it is to access an individual’s personal information, and that too, with the aid of government websites.

This was followed by the government spilling out the data of every single school student in the state. The whole treasure trove of data was shared with Microsoft and was created as part of a joint initiative between the state’s education ministry and Microsoft to identify students who are at risk of dropping out of school. As part of the project, Aadhaar details and academic information of students was to be fed into a machine learning system that would assess every single student’s academic journey and identify ‘at-risk’ children, so that teachers can help them.

This was similar to another discrepancy spotted by Kodali, when he came across the data on nearly 7 million children on a government portal stored in an unsecured manner. Anivar Aravind, an Indian developer and executive director at a social analytics firm, also discovered the hoarding of the Aadhaar data of as many as 9 crore (90 million) school students back in June. The database was hosted on an archaic looking government website which belongs to U-DISE (Unified District Information System for Education), a body which has a database of 21 crore students across India.

Andhra Pradesh carried out a huge #Aadhaar based survey and geotagged every resident and the family details by doing ekYC. All of this data was published. You can micro analyse voters in Andhra Pradesh, just using family details, house location, voter lists, living conditions pic.twitter.com/zORB5Khqu4 — Srinivas Kodali (@digitaldutta) August 7, 2018

In addition to geo-tagging every citizen, all thanks to the eKYC process, the state government opened doors for unscrupulous elements to micro-analyze voters in the state for political gains with relative ease, because all that data was openly accessible.

And as if that was not enough, the Andhra Pradesh government also created a portal that would allow anyone to extract information related to any individual registered in the Aadhaar database. The aforesaid ‘Aadhaar search engine’ was thought to be non-existent, however, not only was it very real, but was also publicly accessible.

This was followed by another major Aadhaar data leak, when government websites in Andhra Pradesh openly published the Aadhaar data of around 20,71,913 pregnant women, alongside details about their reproductive history, vaccination details of the infants, and lot more details. The data was listed on the websites of the state-sponsored Nutrition and Health tracking system and the Reproductive and Child Health (Health and Family Welfare Department) portal run by the state government.

The data listed on the websites contained complete details of the reproductive history of over 20 million pregnant women, which included information such as details of childbirth, risk status, follow-ups or whether the fetus was aborted, etc. In another similar incident, the state government collected details such as phone number and name of every individual who purchased medicines from government hospitals and generic pharmacies, and later published it openly on an unsecured dashboard on the Anna Sanjivini website.

Every resident's property tax, water bills, advertisement tax details along with #Aadhaar numbers, mobile number, GPS lat, long, who lives there and electoral ward you belong to. All of this data is stored with a NGO started by @NandanNilekani They knew the data was leaky in 2015 pic.twitter.com/5InVmW3fD9 — Srinivas Kodali (@digitaldutta) August 7, 2018

In addition to details of social scheme benefits, medical history and academic details of students, even more information such as tax details, location information, etc. was also leaked. Surprisingly, all that information was stored on the servers of an NGO started by Nandan Nilekani, the Infosys co-founder who was among the brains behind the creation of Aadhaar.

Government officials also joined the fray and leaked the Aadhaar data and salary details of their colleagues, while the Swachha Andhra Pradesh portal was also busy spilling out more Aadhaar details. Later in April, another AP government website leaked details of citizens based on their location, caste and religion, which was quite scary since it allowed anyone to pinpoint the houses inhabited by Muslim, Dalit, Hindu and even Zorastrian families, and lead to all sorts of troubles ranging from influencing political opinions on sectarian boundaries to discrimination and violence.

Andhra Pradesh has made #Aadhaar mandatory for everything and they claim they need all of this data for real-time governance. Something which @UIDAI Chairman (part-time) J SatyaNarayana advised. Surveillance has a new name – real-time governance. pic.twitter.com/XwuioeIqbT — Srinivas Kodali (@digitaldutta) August 7, 2018

And to top it all off, there’s another highly invasive initiative called e-governance, which involves building a 360-degree profile of every citizen that is to be listed on a People Hub, which is a part of the real-time surveillance project called E-Pragati. However, experts have raised questions whether this e-governance project is nothing but a highly intrusive state-sponsored surveillance program masked as progressive e-governance and another Aadhaar leak waiting to explode.

By now, it is quite evident that in the sea of Aadhaar leaks, Andhra Pradesh is the biggest iceberg and we have only seen the tip of it. And unless the state government abandons its lax approach and takes proactive measures, more leaks would keep on coming.