A SIM card distributor in Telangana was arrested for activating 6,000 SIM cards through the eKYC system using Aadhaar numbers, reported The Times of India. P Santosh Kumar was a distributor of Vodafone prepaid SIM cards.

On June 20, the regional office of UIDAI in Hyderabad lodged a complaint the local police station alleging that P Santosh Kumar was involved in illegal Aadhaar linking (eKYC). The UIDAI alleged that Kumar had fraudulently downloaded Aadhaar credentials of people from Telangana government’s registration and stamps department and misused them to activate SIM cards.

Apart from UIDAI’s central database, Aadhaar numbers and fingerprint scans are available at local sub-registrar’s office. Anybody who can access registered property documents to create their own Aadhaar database and then use an individual’s Aadhaar.  A report on The Wire has explained how a SIM card dealer was able to get into a system that one would think requires technical knowledge.

Property registration documents submitted in the sub-registrar’s office need to have the following information: names and addresses of the buyers, sellers and witnesses, their fingerprints, and in some states Aadhaar. Some states leak this data through vulnerable online dashboards, for example, Andhra Pradesh. All these documents can be obtained legally through the registration department in Telangana for up to Rs 210-235. One property document has the Aadhaar details of 4-5 people — the seller, the buyer, and two or more witnesses. Thus the Aadhaar database of one person can be built for Rs. 50-60. The Wire report further elaborates on the method used for fingerprint scan, which is done by converting a fingerprint scan into a mould, which can further be used to activate a SIM card via an e-KYC machine.

The false activation of SIMs can be used to get a commission from telecom companies, or can be used for a more lucrative business: preactivated SIM cards sells for as much as Rs. 500. In this case, Santosh Kumar managed to activate 6000 SIM cards. Authorities became suspicious when an unusually high number of activations were made from a single e-KYC machine.

The total cost of Aadhaar identity takeover is as low as Rs. 125 as illustrated by The Wire; identity theft for activation of SIM cards is worrying, especially as a layperson could pull it off too. This is the latest in a series leads related to Aadhaar or of data seeded with Aadhaar.

In fact, the most recent set of leaks come from the government portals of Andhra Pradesh and Telangana.

  • In May, the Andhra Pradesh government exposed expansive details of up to 4.5 crore citizens — right from their phone numbers, insurance status, and home addresses — on a state government portal, accessible with only an Aadhaar number. The leak contained socio-economic and demographic data of citizens seeded with Aadhaar. Read the full report here.
  • In May, data of 2.5 lakh pensioners was exposed on the Telangana state treasuries department portals, reported The New Indian Express. Bank account number, Aadhaar number and other personal details was easily available by simply entering the name of the pensioner on the information portal. Read more here.
  • Read a complete log of all Aadhaar leaks here.