Aadhaar-issuing authority UIDAI has asked research firm, Centre for Internet and Society (CIS) to explain its sensational claim that 13 crore Aadhaar numbers were “leaked” and asked them to provide details of servers where they were stored.
In a precursor to initiating a probe into the matter, the Unique Identification Authority of India (UIDAI) also wants CIS to clarify just how much of such “sensitive data” are still with it or anyone else.
The UIDAI which has vehemently denied any breach of its database, shot off a letter to CIS yesterday asking for the details, including the servers where the downloaded “sensitive data” are residing and information about usage or sharing of such data.
Underscoring the importance of bringing to justice the people involved in “hacking such sensitive information”, the UIDAI sought CIS’ “assistance” in this regard and has given it time till May 30 to revert on the issue.
“Your report mentions that the data of 13 crore people has been leaked. Please specify how much (of) this data has been downloaded by you or are in your possession, or in the possession of any other person that you know,” the UIDAI said in its communication to CIS.
Meanwhile, the UIDAI has quoted sections of the Information Technology Act, 2000, and the Aadhaar Act to emphasise that violation of the clauses are punishable with rigorous imprisonment of up to 10 years.
“While your report suggests that there is a need to strengthen IT security of the government websites, it is also important that the people involved in hacking such sensitive information are brought to justice for which your assistance is required under the law,” it said.
Servers, systems and other technical details sought from CIS
The UIDAI has also sought technical details on how access was gained for the National Social Assistance Programme (NSAP) site which is one of the four portals where the alleged leak happened.
The UIDAI has also asked for details of systems that were involved in downloading and storing of the sensitive data so that forensic examination of such machines can be conducted to assess the quantum and extent of damage to privacy of data.
When contacted, UIDAI CEO Ajay Bhushan Pandey said, “We do not comment on individual matters.”
The UIDAI letter comes after a CIS’ report earlier this month which claimed that Aadhaar numbers and personal information of as many as 135 million Indians could have been leaked from four government portals due to lack of IT security practices.
“Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million,” the report had said.
Not a leak, but a public disclosure
Interestingly, in what market watchers described as an apparent flip-flop, CIS has now clarified that there was no leak’ or ‘breach’ of Aadhaar numbers, but rather ‘public disclosure’
In an apparent course correction on May 16, a day before the UIDAI’s letter went out, CIS updated its report and clarified that although the term ‘leak’ was originally used 22 times in its report, it is “best characterised as an illegal data disclosure or publication and not a breach or a leak“.
CIS has also claimed that some of its findings were “misunderstood or misinterpreted” by the media, and that it never suggested that the biometric database had been breached.
“We completely agree with both Dr Pandey (UIDAI CEO) and Sharma (Trai Chairman) that CIDR (Aadhaar central repository) has not been breached, nor is it suggested anywhere in the report,” CIS said in its latest update.