The ability of a software engineer to bypass strict protocols set in place by the Unique Identification Authority of India (UIDAI) to access critical data puts the spotlight firmly on the security measures employed to protect Aadhaar data in the country.
Police investigations have revealed that Abhinav Srivastav had piggy-backed on the infrastructure of another app for hacking the data base.
“Aadhaar related information, legally housed by the National Informatics Centre server, was illegally and without authorisation accessed and used to support this mobile application,” said a statement by the police issued on Thursday. Srivastav, in order to give his ‘Aadhaar e-KYC’ app an air of authenticity, hacked into the server of the NIC, which houses the e-hospital system, which is a solution for government hospitals to handle patient care and other services, including medical records management.
Regulations
As part of its regulations, UIDAI accords certain agencies the title of an Authentication User Agency (AUA) which can then provide Aadhaar-enabled services to the card holder. For authentication, these agencies have to connect to the Central Identities Data Repository (CIDR) through the services of a Authentication Service Agency (ASA). ASA’s are bound by regulations that stipulate encryption of data and logging of access.
The ‘e-hospital’ platform of the NIC had access as a registered AUA. Srivastav used this server to route his app requests for data access and managed to steal the data, the police said.