At least one central government ministry and multiple Indian state government departments currently expose the personal information of thousands of Indian citizens through their websites — information that shouldn’t actually be available so freely.
The personal data in question, in some cases, includes names, addresses, date of birth, Aadhaar card numbers, PAN card details, religion and caste. All of this information, which should be securely and safely stored, is available in the form of Microsoft Excel sheets and can be obtained by a simple Google search.
This issue was first pointed out by Twitter user St_Hill, who posted an article detailing the dangers of identity theft and how personal data is improperly stored.
Much of the personal information stored online corresponds with various central government and state government schemes. Departments run a number of initiatives that require the personal details of beneficiaries — in some cases, including bank details, Aadhaar numbers and PAN card details — and then store them in the form of online spreadsheets on their websites.
The Wire is still in the process of confirming the authenticity of this data, which involves getting in touch with the people who are most likely unaware that their personal data is public, and will update this story accordingly.
What kinds of departments and schemes?
At least one central government ministry has accidentally published the details of beneficiaries who apply for a core government scheme. The personal data involved include beneficiary name, address, gender, family details, Aadhaar number and bank details (account number, IFSC code. One particular state government, that administers a national welfare scheme for minors, has published the names, addresses, genders, religion, caste and bank account details (account number and IFSC code) for hundreds of minors.
Yet another state government department has available online a list of “trainees” that includes personal details such as caste, gender and religion.
Another particularly troubling case includes a state government publishing a Microsoft Excel sheet that contains the Aadhaar card and bank account details of over 100,000 state residents who are part of a social development programme initiative.
Is this legal?
On the face of it, it appears as if the government departments in question simply haven’t secured this information properly. As St_Hill points out, publishing Aadhaar number information is prohibited by the Aadhaar Act, 2016.
Section 29 of the Aadhaar Act (paragraph 4) clearly states that “no Aadhaar number or core biometric information collected or created under this Act in respect of an Aadhaar number holder shall be published, displayed or posted publicly, except for the purposes as may be specified by regulations”.
This isn’t the only instance of the personal data of Indian citizens being made public by accident. A month ago, data researcher Srinivas Kodali pointed out how a third-party website accidentally published the personal data of 500,000-600,000 minors, including Aadhaar numbers, name, caste, gender and photos. This website was eventually brought down but its existence underscores the poor online security practices and nonchalant attitudes towards privacy prevalent in India. More recently, the home delivery smartphone app of McDonald’s India came under fire after a cybersecurity start-up discovered that the company’s lax security practices potentially leaked the personal data of over 2.2 million Indians. The Wire has reached out multiple central government institutions that handle information security and cybersecurity with queries and will update this story when we receive their response. The Wire has also reached out to the Unique Identification Authority of India with questions on whether the Aadhaar numbers of those who have been affected will be reissued.
In arrangement with TheWire.in