The Unique Identification Authority of India (UIDAI), the Aadhaar-issuing body, has landed itself in the midst of yet another data leak fiasco. The official website of the Department of Agriculture under the government of Andhra Pradesh has exposed the unique 12-digit biometric number belonging to thousands of farmers through an open database. In addition to their Aadhaar data, the database on "Farm Mechanization Request Details Report 2017-18" contains information such as the farmers' names, mobile numbers, village names, tractor types and their respective manufacturers, subsidy, and castes among others.
The leak was exposed by French security researcher Robert Baptiste, also known as Elliot Alderson, on his Twitter handle. "Hi @ ap_agriculture, Due to your negligence, the #Aadhaar numbers of farmers are available on the web. Can you contact me in this ASAP," he tweeted on Monday.
Alderson, who often hunts for security flaws in various apps as well as tech services, had uncovered some of the biggest Aadhaar-related leaks last year. For instance, last year he exposed security deficiencies in the Telangana government's benefit disbursement portal TSPost, which contained the account details and Aadhaar numbers of over five million beneficiaries of the National Rural Employment Guarantee scheme and four million beneficiaries of social security pensions.
More recently, in February, Alderson investigated a leak in Indane Gas' distributor portal on a tip-off and was able to easily access critical data of almost 6.7 million subscribers. He then reportedly developed a custom script that was able to get data for up to 11,000 dealers, which eventually led to the extraction of Aadhaar data of up to 5.8 million subscribers.
Worryingly, the latest Aadhaar leak on the part of the Andhra Pradesh state goverment has not been plugged even two days after Alderson red-flagged it. You can easily find the database through a cursory Google search, without visiting the Department of Agriculture's website.
This is the second time in less than a year that the Andhra Pradesh state government has goofed up on data privacy. In July 2018, the personal data of more than 23,000 farmers who had received subsidies from the Andhra Pradesh Medicinal and Aromatic Plants Board was leaked through an open database on the state government portal, The Economic Times reported. In addition, one of the state government's unsecured websites had also exposed the names and numbers of individuals who purchased medicines from a government-run store along with other details like phone numbers and the purchase details.
According to cybersecurity experts, such recurring leaks could have several ramifications. "With such data, hackers can always use them for social engineering or frauds on the targeted users. Through fake calls or messages, hackers can always dupe users, which is why it is so critical," Bikash Barai, co-founder of FireCompass, a cybersecurity company, told the daily.
In most of the previous data leak debacles, the UIDAI has staunchly maintained that mere possession and storage of Aadhaar numbers poses no risk to the people it belongs to since one also needs biometrics or One Time Password (OTP) to access any Aadhaar-based services. If the body does make a statement on the latest leak, chances are it will be along the same lines.