A security researcher said an Indian government website was exposing the Aadhaar numbers of India’s farmers, potentially amounting to millions of people.
Atul Nair told TechCrunch that he found a part of Pradhan Mantri Kisan Samman Nidhi website that was revealing the farmers’ information. PM-Kisan, as the agency is better known, is an Indian government initiative aimed at providing every farmer in India with basic financial income.
But Nair said a portion of the initiative’s website was returning farmers’ Aadhaar numbers, which farmers have to provide to receive the state income.
Aadhaar numbers are a confidential 12-digit number assigned to each Indian national as part of the country’s national identity database. Aadhaar is used as proof of identity for citizens after submitting their fingerprints and retinal scans to the central database, and is often required for accessing state government services, like welfare assistance and voting. Aadhaar numbers are also used for opening bank accounts, renting Airbnbs, driving with Uber, and for providing verification for other online services. Aadhaar numbers aren’t strictly secret, but are treated similarly to American Social Security or British National Insurance numbers.
Nair provided a small sample of exposed farmers’ information and corresponding Aadhaar numbers that were exposed by the PM-Kisan website, which TechCrunch verified as authentic by matching the exposed data with each farmer’s information using a tool on PM-Kisan’s own website.
He warned that a malicious attacker could have easily gathered the farmers’ information by writing a script. According to PM-Kisan’s website, which appears to be only accessible from within India, more than 110 million farmers have registered since the initiative launched in 2019.
Nair reported the security lapse in January to India’s national computer emergency response team, known as CERT-In, and the exposure was fixed in late-May. Nair also published his report in a blog post.
Ranjna Nagpal, whose contact information was listed on PM-Kisan’s website, did not return an email requesting comment sent prior to publication.
The data leak is not a breach of the central database run by Aadhaar’s regulator, the UIDAI, but is the latest security lapse to beset the controversial national identity database, staunchly defended by Prime Minister Narendra Modi’s government.
In 2017, a report found more than 130 million Aadhaar numbers and associated banking data had been exposed by just a handful of websites. TechCrunch has also reported on several lapses involving large numbers of Aadhaar numbers. And in 2018, journalists found that Aadhaar data was for sale by individuals selling access to the database.
Read more on TechCrunch:
- India considering appeals panel with power to reverse Facebook, Twitter and YouTube content moderation decisions
- India says VPN firms unwilling to comply with new rules ‘will have to pull out’
- Google disables RCS ads in India following rampant spam by businesses
- India withdraws warning on biometric ID sharing following online uproar
- Indian state government leaks thousands of Aadhaar numbers