The system in question is Aadhaar, a biometric digital identity program operated by the Indian government. 1.3 billion people in India are currently enrolled in the program, and around 60 percent were affected by the breach.
It was carried out by an anonymous hacker, who says that the breach left them with sensitive personal data pertaining to 815 million Indian citizens. They are now selling the full set of data for $80,000. It is believed that the source of the leak is connected to data from testing for COVID-19 carried out by the Indian Council of Medical Research; the test data was linked to people’s Aadhaar numbers.
When signing up for Aadhaar, Indian citizens and residents are required to provide demographic information such as their name, age, date of birth, gender and address, along with biometric information that includes scans of both of their eyeballs, a photo of their face and fingerprints of all of their fingers.
The data set being sold by the hacker contains much of this data, along with the victims' phone numbers, pin codes, passport numbers and fathers' names. Some of the samples of the hack that were leaked have been verified, with some of the victims who were contacted saying that the data was correct and that they had not been notified of the breach.
Aadhaar, which is the Hindi term for "foundation," was set up in 2012 to establish a unique identification number for every resident of India and is now the world's biggest digital identity system. It includes 92 percent of the country's population and has issued 1.3 billion unique identity numbers.
The government said its aim was to give people without identification a formal method of government identification while reducing the incidence of stolen or fake IDs and giving people access to government programs such as welfare. Although it was initially introduced as a voluntary program, it later became mandatory for those who wish to take advantage of state benefits and welfare programs.
It is also needed to access private sector services such as bank accounts, pension payments and medical records in the country. It also keeps track of users' employment status, purchasing records and their movements between cities, giving the government far-reaching surveillance powers.
This breach is not the first time that the system has been hacked; the Indian government is already investigating a previous data breach involving the personal data of vaccinated Indian citizens. In addition, according to WikiLeaks, the CIA may have access to it, and the trade publication Biometric Update has said that India is “bleeding biometric data” as a result of the system.
This is highly problematic when you consider the fact that biometric data such as your fingerprints and eyeballs can never be changed the way that a person might change their password after an account has been hacked. The truth is that anything that is online or connected to a digital system can be hacked in some way, even with the most robust, latest security protections in place.
When the system was set up, it was applauded by Bill Gates for making “India's invisible people visible.” He also said at the time that there were not any privacy risks involved in the system, which is something that the 815 million people who now have so much personal data exposed would surely take issue with.
Sources for this article include: