India's controversial national ID scheme leaks fraud-friendly data for 130,000,000 people

Aadhaar kicked off in 2009, linking each Indian resident's biometric data and sensitive personally identifying information to a unique 12-digit number.

It's been controversial since its inception, with privacy advocates and cybersecurity experts warning that the system held the potential for terrible breaches with unimaginably ghastly consequences.

Now, in a new report published yesterday by researchers from the Bangalore-based think-tank the Centre for Internet and Society, Amber Sinha and Srinivas Kodali comprehensively document the many ways in which Aadhaar is leaking, tracking the #aadhaarleaks hashtag, which has revealed potentially compromising information on more than 130,000,000 people, largely material that is intentionally available through official portals.

In the last month, there have been various reports pointing out instances of leakages of Aadhaar number through various databases, accessible easily on Twitter under the hashtag #AadhaarLeaks. Most of these leaks reported contain personally identifiable information of beneficiaries or subjects of the leaked databases containing Aadhaar numbers of individuals along with other personal identifiers. All of these leaks are symptomatic of a significant and potentially irreversible privacy harm, however we wanted to point out another large fallout of these leaks, those that create a ripe opportunity for financial fraud. For this purpose, we identified benefits disbursement schemes which would require its databases to store financial information about its subjects. During our research, we encountered numerous instances of publicly available Aadhaar Numbers along with other PII of individuals on government websites. In this paper, we highlight four government projects run by various government departments with publicly available financial data and Aadhaar numbers. Our research is focussed largely on the data published by or pertaining to where Aadhaar data is linked with banking information. We chose major government programmes using Aadhaar for payments and banking transactions. We found sensitive and personal data and information very easily accessible on these portals.

Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information
[Amber Sinha and Srinivas Kodali/Centre for Internet and Society]