The special investigation team (SIT) probing the IT Grids case has found that the company had Aadhaar records from “other southern states and a few states in north India” apart from 7.8 crore records from Andhra Pradesh and Telangana, The Hindu reports. These included at least 2 crore records from Punjab, per Telangana Today.
Earlier this month the Cyberabad police lodged an FIR against IT Grids Pvt Ltd, which operates the Telugu Desam Party’s Sevamitra app, after 7.8 crore Aadhaar records from Andhra Pradesh and Telangana were found on the firm’s hard disks. The FIR was based on a complaint filed by the UIDAI’s Hyderabad Regional Office. The complaint and the FIR noted that the IT Grids’ possession of extensive Aadhaar data likely meant that the data was sourced from either the Central Identities Data Repository (CIDR) or the State Resident Data Hub (SRDH). The investigation, which revealed the structure and size of the database and the fact that it contained Aadhaar Enrolment IDs (EIDs), further strengthened this suspicion.
17th April 2019
Unique Identification Authority of India (UIDAI) has dismissed the news reports about alleged theft of data of 7.82 crore residents from UIDAI’s Central Identities Data Repository (CIDR)… 1/n
— Aadhaar (@UIDAI) April 17, 2019
However, UIDAI rejected this in a statement on April 17, contradicting the complaint filed by its own regional office. UIDAI said “the alleged incident has nothing to do with UIDAI’s data and servers”, which are “completely safe and fully secure”. It claimed the SIT had found no evidence to show that the data had been stolen from UIDAI servers, and that “the alleged illegal storage and misuse of Aadhaar numbers by IT Grids is being wrongly projected by a section of media as if Aadhaar servers have been compromised”. Whether or not UIDAI’s servers were compromised is a matter for investigators, but to say the case “has nothing to do with UIDAI data” contradicts the fact that the Aadhaar records of at least 9.8 crore people were indeed compromised, directly or indirectly. Meanwhile, UIDAI has launched a separate inquiry into the case through its Enforcement Directorate, which it constituted to inquire into issues related to data theft or breaches of the CIDR or SRDHs, reports Telangana Today.
The SIT investigation also revealed that IT Grids was storing Aadhaar data on Amazon Web Services servers in the US, which violates Section 44 of the Aadhaar Act, we reported last week. Investigators “strongly suspected” that the firm illegally stored Aadhaar databases of a few others states apart from Telangana and Andhra Pradesh off-shore.
The charges against IT Grids
According to UIDAI’s complaint, IT Grids’ possession of the data and its storage on hard disks violated several provisions of the Aadhaar Act 2016 pertaining to sharing and usage of Aadhaar data under sections 38(g) and 38(h). The company was also booked under Section 40 (fine and imprisonment of up to 3 years for failing to inform Aadhaar holders of how their data was being used), Section 42 (fine and imprisonment of up to one year), Section 44 (contravention of the Act, committed outside India). IT Grids allegedly violated laws that bar UIDAI or any private agency handling CIDR data from revealing information stored on the CIDR. Under the Aadhaar Act, Aadhaar or biometric data can be used only to generate Aadhaar numbers or for authentication. The identity information and biometric data can be used for any other purpose only with the prior consent of the individual. Further, the complaint states, IT Grids’ “illegal access and possession” of Aadhaar data violates provisions of the IT Act, 2008, specifically Sec 72(A), Section 65 and Sec 66(8).