An alleged massive breach has further called into question the security of India’s contentious digital identity program Aadhaar.

Although the government had asserted that the central database cannot be hacked, a complaint filed by the Unique Identification Authority of India, which issues the Aadhaar identity card, alleges that the data of 78 million cardholders could have been compromised. These are residents of the southern states of Andhra Pradesh and Telengana.

“It is strongly suspected that the accused could have illegally stored the Aadhar database of not only Telangana and Andhra Pradesh but possibly of a few other states in an offshore storage facility,” the UIDAI’s complaint states. “There is every possibility that sensitive data of Indian citizens could be accessed and used by countries hostile to India or international organized crime syndicates in a manner which could seriously be detrimental to national security.”

Authorities have accused information technology firm IT Grids (India) Pvt Ltd of collecting and storing the data illegally, without authority, according to a report filed by the Cyberabad police on April 12 after receipt of the written complaint from the UIDAI. Such a “first information” police report is a formal complaint to start a police investigation as required by Indian laws.

The company is alleged to have been using Aadhaar data from the two state governments to develop an application called “Seva Mitra” for the regional Telegu Desam Party. The population of the two states, where TDP is active, is approximately 84 million. TDP is the dominant party in Andhra.

Special investigators first registered a probe of the case March 2 in Telangana. Based on their information, the UIDAI requested that Andrha Pradesh also take the matter up. Technically the two states will treat the matter as separate cases.

Hard disks seized

The first information report, accessed by Asia Times and other news organizations, was filed after a special investigation team of Telangana police seized hard disks and other digital evidence from the premises of IT Grids.

The investigators alleged that the Seva Mitra application was being used by the Telugu Desam Party for voter profiling, targeted campaigning and even deletion of votes.

The government of prime minister Narendra Modi has time and again asserted in the Supreme Court that Aadhaar data was secure and the central database was “impossible” to hack into. The complaint filed by the UIDAI now undermines those claims.

Last year, when the Supreme Court was hearing petitions challenging Aadhaar, Attorney General KK Venugopal told the top court that Aadhaar data were secure behind walls “13 feet high and five feet thick.” Venugopal said that all the data collected for Aadhaar, including biometric data, were being kept at a complex in Manesar, near Delhi.

Regulations dating from 2016 restrict sharing, circulating or publishing of Aadhaar numbers.

Lab work

The Telangana State Forensic Science Laboratory investigated the hard disks seized by the police. These contained “a database of a large number of records pertaining to Aadhaar,” says the first information report. The lab concluded that the data were being stored by the company with the cloud storage services of Amazon Web Services in the United States. The report says this was in contravention of Rule 6(4) of the Aadhaar (Sharing of Information) Regulations mentioned and Section 44 of Aadhaar Act, 2016.

Rule 6(4) of Aadhaar regulations regarding sharing of data stipulates that “no entity, including a requesting entity, shall require an individual to transmit his Aadhaar number over the Internet unless such transmission is secure and the Aadhaar number is transmitted in encrypted form except where transmission is required for correction of errors or redressal of grievances.” Section 44 of the Aadhaar Act says that the law will be applicable to “any offense or contravention committed outside India by any person,” if the act involves any data in the Central Identities Data Repository. The CIDR is a centralized database in one or more locations containing all key Aadhaar data.

The investigation revealed that “the structure and size of the database are surprisingly similar to that of databases that could have been originally owned by UIDAI.” Records of five persons furnished by the complainant were verified by the laboratory and the same information was found in the seized hard disks.

The presence of the programmer’s command “HID_NUM” among the data fields made the investigators suspect that “the data could have been obtained either from Central Identities Data Repository or one of the State Resident Data Hubs aligned to the CIDR. Availability of such unique information …  indicates that the accused in the case might have illegally accessed CIDR or SRDH and has used such information or data for wrongful gain.”

The accused’s possession of such a sensitive database in removable storage is in contravention of Section 38(g), Section 38(h), Section 40 and Section 42 of the Aadhaar Act, 2016, says the complaint letter. Sharing of Aadhaar information by anyone, including UIDAI or CIDR employees, with any entity without the permission of the concerned individual, along with altering or destroying Aadhaar information stored in removable media or CIDR is expressly prohibited and punishable by these sections of the Aadhaar Act.

The complaint letter by UIDAI also said, “In light of the gravity of the offenses committed by the accused, it is felt that complaints filed by individual residents that their Aadhaar data is being misused will not suffice as UIDAI is the ultimate custodian of all Aadhaar related data and Sec 44 of Aadhar Act 2016 applies to offenses occurring outside India.”

While the Supreme Court upheld large parts of the Aadhaar act after a five-year challenge, the court struck down Section 57 of the identity law that allowed transfer of citizens’ details to private entities. A minority opinion in the case, which would have gone farther, has recently been cited in a Jamaican case.

The latest findings further undermine the government’s claims.