Centre for Internet & Society (CIS) has released a new report titled “Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information” that reveals that four government portals including National Social Assistance Programme (NSAP)’s dashboard and the National Rural Employment Guarantee Act (NREGA)’s portal have leaked around 130 to 135 million Aadhaar numbers publicly.
“While these numbers are only from two major government programmes
of pensions and rural employment schemes, other major schemes, who have also used Aadhaar for DBT could have leaked PII (personally identifiable information) similarly due to lack of information security practices,” says the report.
In the National Social Assistance Programme (NSAP) welfare programme, attributes listed in the databases of pensioners include Job card number, Bank Account Number, Name, Aadhaar Number, account frozen status. The report shows screenshots of sample pages to demonstrate it.
“While the details were masked for public view, someone with login access could get the details. When one of the url query parameters of website showing the masked personal details was modified from “nologin” to “login”, that is control access to login based pages
were allowed providing unmasked details without the need for a password,” adds the report.
Regarding the ill-conceived data driven policies and transparency measures without proper consideration to data security measures, the report said:
The lack of consistency of data masking and de-identification standard is an issue of great concern. As mentioned earlier, the masking of Aadhaar numbers does not follow a consistent pattern. In some instances, the first four digits were masked, while in others the middle digits were masked. Given the multitude of databases publicly available, someone with access to different databases could use tools for aggregation to reconstruct information hidden or masked in a particular database. Further, most of the databases we encountered were also available for download as spreadsheets. The availability of the information in datafied formats also facilitates the use of data analytics to aggregate information from various sources, thus, increasing the risk of data points from different sources coming together to enable reconstruction of masked or undisclosed information.
“It must be stated that since we began reviewing and documenting these portals, we have noticed that some of the pages with sensitive PII have now been masked, presumably in response to growing reports about Aadhaar Leaks,” says the report.
Even though over the last two months, some of information has been masked, it is not clear whether these government databases are still leaking data.