wordpress blog stats
Connect with us

Hi, what are you looking for?

On the Jio data leak: Mobile-Aadhaar linkage should be stopped, Aadhaar eKYC needs its own DSS

As we reported earlier today, a website called magicapk.com went up last evening, allowing anyone to search for personal details of Jio customers. That website has now been taken down, but issues regarding security standards, the source of this information, and the amount of information that may be made public through such leaks still persist. Some points:

1. The information was legit: There were a large number of people last evening who were tweeting that they had been able to access information that they could verify as legit. I tried it for a few people, and it worked. As did many others. Some people validated their own data. It was almost as if those tweeting saying the information is incorrect were a part of a campaign. It’s shameful that Jio is trying to deny that this ever happened, or that the data is inauthentic. It isn’t: we’ve got screenshots. Here are 2 redacted screenshots:

2. We do not know how much data got leaked: All we know is that many people were able to validate this information. It isn’t like Aadhaar Leaks, where we saw government departments put up excel sheets available on google search, and entire sites making rows of data easily accessible. That data was far more problematic: names, mobile numbers, addresses, bank account numbers and Aadhaar numbers.

3. We do not know why this site was put up: It could be someone trying to showcase how vulnerable the data is, and this was their way of alerting people about a breach/leak or vulnerability. We’ve had instances of security experts and ethical hackers try in desperation to get companies to fix vulnerabilities, and when ignored, they don’t know what to do. If the intent was bad, then this could have been a sort of proof of concept to show potential buyers that this data is legit.

4. We do not know where this data leaked from: It could have been via a direct selling agent who could have kept this data unencrypted, or from an internal source who stole the data, or there could have been a vulnerability in the setup. Unless there is transparency from Jio about where in its ecosystem the data leaked from, we will never know.

Advertisement. Scroll to continue reading.

5. The site going down doesn’t mean new ones won’t come up again: If they have the data, they could potentially set up hundreds of sites, or dump that data online for others to take up.

6. It’s not clear whether Aadhaar data was leaked: Aadhaar numbers are a part of the form, but no one has, as yet, found that Aadhaar numbers were leaked. It’s illegal to publish Aadhaar numbers (“The Aadhaar number of an individual shall not be published, displayed or posted publicly by any person or entity or agency”; AADHAAR (SHARING OF INFORMATION) REGULATIONS, 2016, point 6)

7. Who’s responsible for data via eKYC? Jio got this information using the Aadhaar eKYC process: users consented to give their information to Jio via fingerprint authentication when buying a SIM card. The UIDAI transferred personal identification information to Jio, but does its responsibility end there?

8. We need a data security standard for Aadhaar eKYC: When you run a payment gateway or a site which uses credit card information, that has to conform to a certain data security standard (DSS), from an organisation called PCI, which specifies norms around data storage, transmission and retention, trying to limit the amount of data stored. For example, organizations have to have a particular security standard before they can store card information which is pre-filled. So, what kind of security and data protection processes and standards does the UIDAI mandate for entities like Jio before it allows for eKYC, to ensure that sensitive data, once procured, is kept safely? What kind of security does UIDAI mandate that Jio’s direct selling agents maintain? Who gets access to that data? Just like in case of credit card information, because a user has given consent, it doesn’t mean that UIDAI’s responsibility ends there. This problem will only increase as more businesses sign up for eKYC. There must also be penal provisions applicable if these standards are not followed.

9. Mobile linkage with Aadhaar should be stopped unless security standards are specified, validated on a regular basis: The government of India has, while misrepresenting a Supreme Court order, has made it mandatory to link mobile numbers to Aadhaar numbers. This should be stopped.

Advertisement. Scroll to continue reading.
Written By

Founder @ MediaNama. TED Fellow. Asia21 Fellow @ Asia Society. Co-founder SaveTheInternet.in and Internet Freedom Foundation. Advisory board @ CyberBRICS

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Do we have an enabling system for the National Data Governance Framework Policy (NDGFP) aiming to create a repository of non-personal data?


A viewpoint on why the regulation of cryptocurrencies and crypto exchnages under 2019's E-Commerce Rules puts it in a 'grey area'


India's IT Rules mandate a GAC to address user 'grievances' , but is re-instatement of content removed by a platform a power it should...


There is a need for reconceptualizing personal, non-personal data and the concept of privacy itself for regulators to effectively protect data


Existing consumer protection regulations are not sufficient to cover the extent of protection that a crypto-investor would require.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ