French security researcher, Baptiste Robert used a basic SQL (structured query language) injection web hacking technique to attack the Telangana government’s benefits disbursement portal called TSPost, to access account details of 56 lakh National Rural Employment Guarantee Scheme (NREGS) beneficiaries and 40 lakh Social Security Pensions (SSP) beneficiaries, including Aadhaar numbers, reports TOI.
— Elliot Alderson (@fs0c131y) February 25, 2018
Robert breached the application programming interface key (API key) of both the TSPost website and the database of NREGS and SSP among others. This gave him access to all data stored in the beneficiaries’ account, including Aadhaar numbers.
It’s not clear if the Telangana government has managed to address the vulnerabilities, but the TSPost site is currently offline. A spokesperson for TSPost had told the publication that they will take care of the issue by February 27 but looks like they will require more time.
— Elliot Alderson (@fs0c131y) February 26, 2018
Given that the Unique Identification Authority of India’s (UIDAI) own mAadhaar Android app has serious security flaws that put Aadhaar holders at risk of data, identity and monetary theft, it will be harsh to put the Telangana government to the sword.
TSPost isn’t the first and unlikely that it will be the last
- In August last year, the Greater Ludhiana Area Development Authority (GLADA) website, a Punjab government website, published online around 20,100 Aadhaar numbers of people who had applied for low-cost housing in Ludhiana and Jagraon.
- A month earlier, in July, the Minister of State for Electronics and Information Technology, PP Chaudhary said that “it was found that around 210 websites of Central Government, State Government Departments including educational institutes were displaying the list of beneficiaries along with their name, address, other details and Aadhaar numbers for information of general public.” He was responding to a question raised in Parliament regarding Aadhaar data leaks.
Delhi government stops Aadhaar use for PDS
Earlier this month, Delhi government decided to stop the use of point-of-sale (PoS) terminals that required Aadhaar for the Public Distribution System (PDS), after reports of widespread deprivation and difficulties in procuring rations. The government said that these difficulties had emerged because the officers in charge of implementation had not used the PoS terminals for PDS in the manner that the Cabinet had recommended. Hopefully, other state governments will take note and follow suit.