India on Thursday began investigating a report that access to its database of the identity details of more than 1 billion citizens was being sold for just $8 on social media, in what could be one of the giant programme’s biggest security breaches.
The Tribune newspaper said it had been able to buy login credentials to the Aadhaar database, allowing it to acquire information such as the names, telephone numbers and home addresses of millions of people.
The paper said it bought access for as little as 500 rupees ($7.89) from someone on a WhatsApp social media group.
The “case appears to be an instance of misuse,” said the Unique Identification Authority of India (UIDAI), which runs the biometric identity card scheme, the world’s largest.
The agency said it had initiated a police complaint against the people responsible for selling the access, but did not identify them.
Crucial data, “including biometric information, is fully safe and secure,” the agency said in a statement. The database incorporates fingerprints and iris scans, besides basic information details.
“Mere display of demographic information can’t be misused without biometrics,” it added, ruling out financial fraud, saying access to bank accounts required further authentication that involved fingerprint and iris scans.
But the breach is the latest in a programme facing increasing scrutiny over privacy concerns and is likely to prompt further questions about data safety.
The Supreme Court is holding hearings to decide if a drive by the administration of Prime Minister Narendra Modi to link Aadhaar to private and public services infringes the privacy rights of individuals.
“The perils of making Aadhaar mandatory and linking it to bank accounts, as insisted upon by the Modi government, are visible here,” Sitaram Yechury, a leader of the communist party, said in a Twitter post.
“Do we need more proof to stop this madness?”
Last month, the agency barred telecoms firm Bharti Airtel and its Airtel Payments Bank from using Aadhaar details to verify customers’ identities, because the facility was being misused to open accounts on its payment platform.