“Therefore, there is no data leak, there is no systematic problem, but, if any one tries to be smart, the law ignites into action.” – Ravi Shankar Prasad, IT Minister, in the Rajya Sabha, on 10th April 2017

Details of around 130-135 million Aadhaar Numbers, and around 100 million bank numbers have been leaked online by just four government schemes alone: the National Social Assistance Programme, the National Rural Employment Guarantee Scheme (NREGA), Daily Online Payments Reports under NREGA (Govt of Andhra Pradesh), and the Chandranna Bima Scheme (Govt of Andhra Pradesh), as per a research report from the Centre for Internet and Society.

Download the report here.

While the data leaked differs across schemes, it could include information such as Name, Aadhaar Number, Bank Account Number, Father’s/Husband’s Name, Age, Gender, among other things. In other words, a spammer/scammer/phishing-entity’s dream come true. The Aadhaar Number is a permanent irrevocable number which is being made mandatory, and is being forcibly linked to mobile numbers, bank accounts, tax filings, scholarships, pensions, rations, school admissions, health records and much much more, which thus puts more personal information at risk.

The report estimates that given the scale of the data leaks (beyond these schemes), the number could be closer to around 230 million (23 crore), given that “Over 23 crore beneficiaries have been brought under Aadhaar programme for DBT (direct benefit transfer), and if a significant number of schemes have mishandled data in a similar way.” This essentially means that personally identifiable information for almost 17% (assuming India has 1.30 billion people) may be at risk; this doesn’t include parallel databases created by private entities who may collect Aadhaar and personal information from citizens.
Note that while this data has now been taken down, there are several other instances of data remains published online. The report has been written by Amber Sinha and Srinivas Kodali. Kodali was among the first to report instances of Aadhaar numbers and personal data being published online: a Telangana government agency had published personally identifiable information of 500,000 to 600,000 children.

Data Available

1. National Social Assistance Programme:

  • A total of 1,59,42,083 Aadhaar Numbers, though not all are linked to Bank Accounts. It has 94,32,605 bank accounts and 14,98,919 post office accounts linked with Aadhaar Numbers.
  • The data includes list of pensioners by state, districts, area, sub-district/municipal area and gram panchayat/ward, with Job card number, Bank Account Number, Name, Aadhaar Number, account frozen status.
  • A data download option allows a download of Beneficiary No., Name, Father’s/Husband’s Name, Age, Gender, Bank or Post Office Account No. for beneficiaries receiving disbursement via bank transfer and Aadhaar Numbers for each area, district and state.

2. National Rural Employment Guarantee Scheme:

  • A total of 10,96,41,502 Aadhaar Numbers, 78,74,315 post office accounts of workers seeded with Aadhaar Numbers, and 8,24,22,161 bank accounts.
  • The data includes granular reports for each district, mandal and panchayat, including Job card No., Aadhaar Number, Bank/Postal Account Number, no. of days worked, Registration Number, account frozen status.

3. Chandranna Bima Scheme, Govt of Andhra Pradesh:

  • 2,05,65,453 workers registered under the Aam Aadmi Bima Yojana. The data is organised in the form of list workers registered for each district, mandal, village and block, and within each block, there is a list of all registrants.
  • Each registrant has their own page with the following data: Aadhaar Numbers, Name, Father’s/Husband’s Name, age, caste, mobile number, gender, partially masked bank account number, IFSC Code, Bank Name and details of the nominee. MS Access databases of all the data were also available, and these had the masked data unmasked.

4. Daily Online Payment Reports of NREGA, Govt of Andhra Pradesh

  • 11299803 Aadhaar Numbers, 76,63,596 bank account numbers
  • Personal information: Job card No., Aadhaar Number, Bank/Postal Account Number, Whether it is seeded with mobile number, no. of days worked, registration Number, date on which e-pay order number is created, date, date on which e-pay order number is sent to paying agency, date of which credit to worker’s account, time and date for disbursement, pay order amount, mode of payment.

The report points out that while some of data has subsequently been masked, it does not mean that government agencies have purged the data, which leaves it open to both cyberattacks, and any potential leakages of data those with access to it.

Also, “retrospectively addressing some of these concerns has little or no impact without data de-identification standards, information security protocols and proper access control to sensitive personally identifiable data collected.”

Our Take

1. It’s probably bigger than just 130 million: At MediaNama, we’ve documented other instances of government departments publishing Aadhaar data (and we’ve viewed this data, downloaded excel sheets to check), so the scale of the public disclosure of information, with no accountability, is truly frightening. Government competence is truly an oxymoron. It won’t be long before this data is sold. Apparently such data already is being sold:

2. Faulty by design: While Aadhaar creator Nandan Nilekani and the IT Minister Ravi Shankar Prasad might give assurances that the Aadhaar database is safe, the fact is that Aadhaar was poorly designed: it may have taken into account the security aspects of storing this data, but it didn’t take into account the systemic risks of incompetent government departments handling this data, and disclosing it, putting citizens at risk. To remind you: the Aadhaar Number is a permanent, irrevocable number which is being made mandatory, and is being forcibly linked to mobile numbers, bank accounts, tax filings, scholarships, pensions, rations, school admissions, health records and much much more.

3. Faulty law: According to the Aadhaar Act, a citizen has no recourse in case of a data breach because your Aadhaar data doesn’t belong to you: it belongs to the government. While the UIDAI has acted in some cases against errant external agencies (around 34,000 of them), there is no information on cases being filed against government departments filing these cases.

Also read: 

Notes from hearings in the case linking Aadhaar to the PAN Card

Download the report here.