210 Indian Government Websites Expose Personal DataWhat Caused Leak of Aadhaar Numbers, Other Sensitive Data, on So Many Sites?
About 210 websites of central and state government departments in India were displaying personal details and Aadhaar numbers of beneficiaries, the government announced in the parliament on Wednesday.
Some security experts are questioning why auditors did not detect problems that led to the data leakage and say it's time for the government to take strong action against faulty auditors.
The Unique Identification Authority of India, or UIDAI, is monitoring the status of efforts to remove the Aadhaar data from the websites, says PP Chaudhary, the minister of state for electronics and IT in the parliament.
"The websites of central government and state government departments, including educational institutes, were displaying the list of beneficiaries along with their name, address and other details and Aadhaar numbers for information of general public," Chaudhary says. There has been no leakage of Aadhaar data from UIDAI's end.
Earlier this year, digital identities of more than 1 million citizens were compromised by a programming error on a website maintained by the Jharkhand Directorate of Social Security. That glitch revealed the names, addresses, Aadhaar numbers and bank account details of the beneficiaries of Jharkhand's old age pension scheme.
The latest revelation by the minister has again raised questions about whether it was wise for the government to make the Aadhaar number mandatory for the purpose of establishing identity of an individual to enable receipt of government subsidies, benefits and services.
"I am not against digitization, but such moves should be undertaken by the government only when it is fully ready," says Ritesh Bhatia, a cybersecurity expert at V4Web. "When you launch such big programs impacting millions without making the necessary security arrangements, it's bound to fire back. I firmly believe government should have taken necessary security steps before making Aadhaar mandatory." (see: Aadhaar Authentication for Banking: Is It Premature? )
The incident also reflects poorly on government departments. "This proves that government departments are using Aadhaar but don't know the legal implications of display of personal information," says Rakesh Goyal, director-general, Centre for Research and Prevention of Computer Crimes. "There is no awareness, education and guidelines from any concerned ministry. One hand of government does not know what the other hand is doing."
Causes for Data Leak
It's not yet clear what caused the sensitive information to be displayed on so many government websites.
Sahir Hidayatullah, CEO at Smokescreen, offers this theory: "It's a case of inadvertent data leakage" due to a server misconfiguration or site dysfunctionality. "A site dysfunctionality would be when I put somebody's name on the affected website and it gives me the entire Aadhaar details of the person," he says.
Any entity - government or private - can sign up to use the Aadhaar database. Aadhaar does two types of transactions:
- Authentication, where the entity can send in a person's identity details to UIDAI and get a response as to whether the information is correct; and
- e-KYC, where the entity can send in a person's Aadhaar number and request for his/her KYC [Know Your Customer] details, which are provided once the user consents to it being shared via an one time password or using biometrics.
"Therefore, when an entity does an e-KYC transaction, an individual's personal details get into the entity's hands," says Shivangi Nadkarni, co-founder & CEO at Arrka Consulting. "Of course, before this entire process is set up, UIDAI requires the entity to go through a security audit. However, it should be kept in mind that this audit is carried out prior to the entity commencing its actual transactions."
Nadkarni says that once operations start, "it is quite likely that some of these security controls may not continue to be followed as designed. So in this case, it is entirely possible that security slackened once operations started and critical data got leaked onto the websites mentioned."
Time for Transparency
Practitioners emphasize that the government should reveal the exact problems with the websites and the impact of the data leakage.
He also questions the role of CERT-In in preventing such mishaps. "All government websites are audited by CERT-empaneled auditors. In the past months whenever Aadhaar details have been leaked, has CERT taken any steps against the concerned auditors?" he asks.
J. Prasanna, director at Cyber Security Privacy Foundation Pte Ltd, says it's not clear that the auditors are using adequate procedures. "Auditors who have failed to do proper checks and balances should be penalized heavily," he says.
UIDAI or other concerned ministry must frame clear guidelines on usage, display, storage, archival, backup, destruction and security of Aadhaar data to comply with the provisions of Aadhaar Act 2016, Goyal says. "Further, the concerned ministry must assign some of its officers to validate the compliance of Aadhaar Act by all central government, state government, semi-government, PSUs [Public Sector Units] websites, mobile apps and other instruments."
Some security experts say that CERT auditors should have a set of guidelines they could follow on how to store and access Aadhaar information. "The payment card industry has PCI-DSS guidelines. There should be something similar here as well," says Hidayatullah.
To be fair, though the UIDAI ecosystem have been designed rather well on paper, the challenge lies in implementation. "The government has to act on that - require stringent measures to be adopted for security and have very strong penalties associated with any non-compliance and breaches. Hopefully the new data protection law should address the penalties part," Nadkarni says.