A security researcher claimed that an Indian government website was potentially exposing the Aadhaar numbers of India’s farmers, thereby potentially jeopardizing the lives of several million people. India’s Farmers exposed by new Aadhaar data leak.
Atul Nair told TechCrunch that he found a part of the Pradhan Mantri Kisan Samman Nidhi website that was revealing farmer data. PM-Kisan, as the agency is celebrated, is an Indian government initiative designed to ensure the financial accessibility of Indian farmers.
One of Nair’s goals was to help farmers retrieve Aadhaar numbers, which requires them to input them into the system before being permitted to continue with the state revenues.
Every Indian citizen has a 12-digit Aadhaar number, which is included in the national identity database. Aadhaar is used as a proof of identity for citizens who have their fingerprints and retina scanned in order to sign up to the database and are often required to obtain state services, such as the provision of welfare benefits and voting rights. Aadhaar numbers are also used for identifying bank accounts, renting a home using Airbnb, driving with Uber, and for providing verification of online services. Aadhar numbers aren’t uniquely secret but are treated similarly to American Social Security numbers or British National Insurance numbers.
Information about farmers affected by the Pradhan Mantri Kisan Samman Nidhi website was disclosed in the Aadhaar numbers that Nair provided. TechCrunch confirmed the authenticity of the exposed findings by examining the exposed information taken from PM Kisan’s website against farmers’ Aadhaar numbers.
A malicious attacker could very easily have copied the info from the People’s India Portal, which is accessible only in India, by filling out a plug-in. It has been reported by PM-KISAN’s website that, based on Indian news sources about India’s Farmers exposed by new Aadhaar data leak, more than 110 million farmers have managed to sign up for a portal since the campaign’s launch in 2019.
Nair documented the security threats in January to the CERT-In team in both India and exposed them in mid-May. He also published his report on India’s Farmers exposed by new Aadhaar data leak in a blog post.
Ranjna Nagpal, whose contact information can be found on PM-Kisan ‘s website, failed to return an email requesting her feedback prior to publication.
The news didn’t originate from a failure of the Aadhaar database that is overseen by the UIDAI, but the latest security flaw associated with the database. India’s Prime Minister Modi has staunchly defended his government’s Aadhaar database.
In 2017, a report on India’s Farmers exposed by new Aadhaar data leak found more than 130 million Aadhaar numbers and banking information had been exposed by a single website. TechCrunch has also reported on numerous lapses involving millions of Aadhaar numbers. And in 2018, journalists discovered that Aadhaar records were available for purchase for privacy-invasive purposes.