The Commissionerate of College Education, Andhra Pradesh, has leaked the personal data, including Aadhaar numbers, of over 64,000 past and present students, reports The Times of India.

MediaNama was able to access information contained in this leak. One of the exposed datasets shows personally identifiable information of individuals, furnishing details such as caste, gender, Aadhaar, the course they are enrolled in, college name, district etc. The data belongs to degree students enrolled in government colleges across all 13 districts of the state.

The college management collected this information to avoid duplication in scholarships and fee reimbursement, former MLC, KS Lakshmana Rao told TOI. The details were reportedly uploaded without the consent of the students. Andhra Pradesh state officials said that the mistake was unintentional, and had planned to take these details down by today. However, this information continues to be on the website at the time of publishing.

MediaNama has withheld the URL of the portal to protect the privacy of the individuals.

AP govt portals have leaked Aadhaar numbers before

  • In April, it was discovered that a portal belonging to the state government was leaking data individuals including their Aadhaar number, bank – branch, IFSC code and account number. The data also included father’s name, address, gram panchayat, mobile number, ration card number, occupation, religion and caste information.
  • In the same month, a state health department website was leaking personal information of Eligible Couples, Pregnant Women and Children from the Nutrition and Health tracking system as well as the Reproductive and Child Health department. The data published on this site included Aadhaar numbers of women and tracked their reproductive history from pregnancy to its conclusion – whether abortion, risk status, follow ups or birth. It also tracked the infants early years and vaccinations.
  • In June, a state government portal was found to be exposing expansive data of upto 4.5 crore citizens — right from phone numbers, insurance status, and home addresses — all of this, accessible with only an Aadhaar number. This data was collected under Praja Sadhikhara Survey or Smart Pulse Survey, which is an extensive database of socio-economic and demographic data of citizens, seeded with Aadhaar. All the data was therefore accessible with just an individual’s Aadhaar number.

Read: New data leak allows targeting by religion, caste and locality and provides Aadhaar and bank details

AP is infamous for exposing personal data

Unfortunately, Andhra Pradesh has a history of leaking personal and sensitive information about its citizens. In a spate of leaks revealed this year, it has been found that the state has leaked personally identifiable information of who bought a pill for erectile dysfunction, who called for an ambulance, allowed for real-time tracking of the ambulance, pregnancy history, and much more.

  • In June, an unsecured website of Andhra Pradesh government was found to be exposing the names and numbers of every person who purchased medicines from a government-run Anna Sanjivini store. It contains logs of Order ID, the Store Operator ID, Customer name, Customer phone number, details of the medicines, and the money paid. Remember that this is for each order. Details of who purchased included Suhagra 50, a drug used to treat erectile dysfunction.
  • A public website run by the Andhra Pradesh government, hosted on Microsoft’s Azure cloud computing service, was found to be tracking state-run ambulances in real time, allowing anyone with an internet connection to monitor the movement of these vehicles and obtain sensitive information about the patient — such as the pick-up point, why the ambulance was called, and the hospital to which the patient was taken. The website displays the pick-up point and the purpose of the visit — such as assault, pregnancy, heart attack, asthma, etc.

Read all our stories on data breaches by the Andhra Pradesh government here.

Risks related to leaked Aadhaar numbers

Treating Aadhaar numbers as non-confidential can prove risky as they can be used to find information about the holder. This was proven when TRAI Chairman RS Sharma put up his Aadhaar number on Twitter, challenging people to bring harm to him. Within hours, users on Twitter were able to dig up the TRAI Chairman’s mobile number(s), Google and Yahoo email addresses, physical address, date of birth, and even the frequent flyer number which is believed to be a response to the security question for changing Sharma’s Gmail password. Multiple bank account numbers were made public.

Sharma’s stature as a high-ranking central government official may have offered him protection from any real harm through his Aadhaar number. However, college graduates in Andhra Pradesh are not going to be secure with their Aadhaar number in the public. Besides, exposure of Aadhaar number may be illegal as the Aadhaar Act says that it is illegal to publish Aadhaar numbers.