Abhinav Srivastava, a 31-year-old software engineer working with ride hailing startup Ola, has been arrested by the central crime branch (CCB) police for building a mobile application that illegally accessed data on the Unique Identification Authority of India (UIDAI) servers.
The arrest was made after UIDAI Deputy Director Ashok Lenin filed a case against Srivastava and Qarth Technologies, a company he founded and sold to Ola in March last year, with the Bengaluru police. The case was then transferred to the cyber crime division that is now carrying out the investigation.
"Further investigations will answer all our questions. These things take a lot of time to analyse and understand. The app has been downloaded 50,000 times, but the number of people who have used that app to verify their Aadhaar will be found out in due time," said a police official who did not want to be named.
Srivastava is charged with building an Aadhaar e-KYC application that was available for download on the Google PlayStore that illegally accessed UIDAI data through the eHospital application and its server, the police said in a statement.
It isn't clear at this moment if Aadhaar user data was stored, but the app essentially allowed users to do verification using Aadhaar without biometric or one-time password (OTP) authentication. Lenin had said that the hack was active from 1 January and went undetected until 26 July, after which he filed the case with the Bengaluru police.
"He had a deep interest in developing Android mobile application software and till now he has developed five mobile applications. He developed the Aadhaar e-KYC verification mobile application in January 2017 and has earned about Rs 40,000 from advertisements," the police said.
Srivastava was arrested on 1 August and is still in police custody for further investigation. The City Cyber Crime and CCB police had formed six teams to investigate and arrest the accused, calling it a serious crime as the app he had developed exposed private information of Indian citizens.
Ola had declined to comment on Srivastava's position in the company, but the police confirmed that he was employed at the company as a software engineer. An internet search revealed that Srivastava's position at the company was "Hacker at Ola Connected Car Platform" as per his LinkedIn profile, which has been updated to remove all his professional experience.
"Ola has neither commissioned nor is involved in any such activity. No such complaint has been brought to our notice," the company had said previously in a statement.
The case comes at a time when people are questioning how secure Aadhaar data really is. A landmark case on the right to privacy which is being fought in the Supreme Court could have a widespread impact on how the government mandates collection of Aadhaar data and its use.