Totally Baseless, False And Irresponsible, Says UIDAI On Report Of Aadhaar Data Leak

The UIDAI or Unique Identification Authority of India on Saturday refuted reports of a major security lapse in the Aadhaar system. The UIDAI, the issuer of the 12-digit personal identification number Aadhaar based on a resident's biometric and demographic data, said: "There is no truth in this story as there has been absolutely no breach of UIDAI's Aadhaar database. Aadhaar remains safe and secure." Earlier, a report by business technology news website ZDNet had said that a data leak on a system run by a state-owned utility company can allow access to private information of Aadhaar holders, exposing their names, their unique 12-digit identity numbers, and their bank details, according to news agency Reuters.

The development comes less than two weeks after the Supreme Court extended indefinitely the March 31 deadline for mandatory linking of the 12-digit personal identification number Aadhaar, also known as Unique Identity Number (UID), to a range of services.

Here are five things to know:

1. "We refute the reports in a certain section of media sourced from ZDNet which quote a person purportedly claiming to be a security researcher that a state-owned utility company has vulnerability which can be used to access huge amount of Aadhaar data including banking details," the UIDAI said in a series of posts on microblogging site Twitter late on Saturday.

2. Terming the report as "totally baseless, false & irresponsible", the UIDAI said: "Even if the claim purported in the story were taken as true, it would raise security concerns on database of that Utility Company and has nothing to do with security of UIDAI's Aadhaar database."

The story is totally baseless, false & irresponsible. It purports that the database of a state Utility company containing its customer details such as bank account numbers, consumer number, Aadhaar number (not the biometrics), etc., has vulnerability. 3/8

— Aadhaar (@UIDAI) March 24, 2018

3. "We advise people not to get misled by such false and irresponsible stories being circulated in social and other media by some vested interests," said the UIDAI, the issuer of Aadhaar.  "Mere availability of Aadhaar number with a third person will not be a security threat to the Aadhaar holder or will not lead to financial/other fraud, as for any transaction, a successful authentication through fingerprint, Iris or OTP of the Aadhaar holder is required," the UIDAI added.

4. Aadhaar, a biometric identification card with over 1.1 billion users, is the world's biggest database. Aadhaar has been facing increased scrutiny over privacy concerns following several instances of breaches and misuse.

If one goes by the logic of ZDNet’s story, since the Utility company’s database also had bank account numbers of its customers, so would that mean that all Indian banks’ databases have been breached? The answer would obviously be in negative.5/8

— Aadhaar (@UIDAI) March 24, 2018

5. Further, one must understand that the Aadhaar number, though a personal and sensitive information, is not a secret number, the UIDAI said.