Security breach in India?

In 2010 India started scanning personal details like names, addresses, dates of birth, mobile numbers, and more, along with all 10 fingerprints and iris scans of its 1.3 billion citizens, into a centralized government database called Aadhaar to create a voluntary identity system. On Wednesday this database was reportedly breached.

The Tribune, a local Indian newspaper, published a report claiming its reporters paid Rs. 500 (approximately $8) to a person who said his name was Anil Kumar, and who they contacted through WhatsApp. Kumar was able to create a username and password that gave them access to the demographic information of nearly 1.2 billion Indians who have currently enrolled in Aadhaar, simply by entering a person’s unique 12-digit Aadhaar number. Regional officers working with the Unique Identification Authority of India (UIDAI), the government agency responsible for Aadhaar, told the Tribune the access was “illegal,” and a “major national security breach.”

second report, published on Thursday by the Quint, an Indian news website, revealed that anyone can create an administrator account that lets them access the Aadhaar database as long as they’re invited by an existing administrator.

Here is the full story, via Brian Slesinsky.

Comments

The Indian government should blame it on the Russians.

Or North Korea, China, Iran.

Obama.

All super secret Government data bases will be hacked or leaked. (And probably not only government ones.)

Give no information that you needn't. If you need to give some, give something fake or frivolous.

"Probably?"

There may be non-government ones the existence of which is publicly unknown. They might not get hacked. Of course you can't prove that I'm wrong when I conjecture that there could exist data bases the existence of which is publicly unknown.

A major Indian government database hacked? Impossible!

I wouldn't say it was impossible but this database was not hacked. Someone sold someone else the password.

It is impossible to think that it would be any other way in India.

Still what is the worst that can happen? They probably all 1.2 billion of them got a text from a couple of sleazy lawyers about the Green Card lottery.

We don't see ios and Android being hacked too often. I wonder why other entities don't try their approaches.

If you haven't noticed the frequent OS updates, perhaps you have been hacked!

https://www.cvedetails.com/vulnerability-list/vendor_id-49/product_id-15556/Apple-Iphone-Os.html

Still, iOS has fewer exploits, because Apple locks down the app store. (Likewise: XBox, Playstation, Nintendo have few serious issues.) Microsoft tried the locked-down AppStore approach in Windows 8 and Windows Phone, but failed to make it a real business; it is hard to get the developer / consumer snowball rolling: That Apple did it was a neat trick.

No government goes on forever. People don't seem to realize that massive accumulations of information will eventually be controlled by entities interested in using it in ways that may not be what they want.

Basic history lesson in German classrooms, as the Nazis used the Wiemar social welfare lists for their own 'social welfare' programs. And one reason that Germans tend to be so fanatic about data privacy issues - being ruled by a genocidal regime that believed in using eugenic 'principles' to remove the unfit tends to leave an impression, at least for a couple of generations.

It is amazing how much determined forgetting was required before those nice sophisticated civilized Europeans got around to re-introducing the forced euthanasia of people inconvenient and expensive to the government. Even holding them down when they objected. And of course starting with the handicapped.

Sort of like the way the Germans have come to believe that the sensible response to criticism of the ruling parties is to control the internet completely.

People learn from history but not always the right lessons.

'Sort of like the way the Germans have come to believe that the sensible response to criticism of the ruling parties is to control the internet completely.'

You came so close to getting it right when it comes to why the Germans, people fully aware that when it comes to torchlight marchers shouting 'blood and soil' and 'Jews will not replace us' there are not very fine people on both sides, want to prevent yet another politician gaining enough power to allow 're-introducing the forced euthanasia of people inconvenient and expensive to the government.' No slippery slopes in Germany - they already know what happens if you don't oppose Nazis as early and as effectively as possible. And considering that it took the deaths of millions and the utter ruin of the Nazi's Heimat the last time round, fining people for following the Nazi playbook seems cheap. Whether it turns out to be more effective than strategic bombers and the Red Army when removing the ability of Nazis to do and say what they want remains to be seen, of course.

Recall Trump's 'voter fraud commission' wanted all the states to email them the names, addresses, birthdays and social security numbers of all registered voters.

An advantage here is non-overlapping government databases. Two states may have your social security number in their database (say you worked and paid taxes in two states), but they are different databases and hacking both would require a customized approach by a single hacker...and even if both are hacked some skill is needed to 'marry' the two databases together to create a unified database of all the SSI numbers of both states. One national "uberdatabase", though, creates too tempting a target. See the first Mission Impossible movie with their 'NOC list'.

I could 'marry' two voter databases in a couple hours, don't think that's a relevant concern here.

A database can marry whomever h/she wants. It is their live, their choice.

It's grotesque and I'm not baking the cake though. I don't want to normalize database marriages.

"Two states may have your social security number in their database (say you worked and paid taxes in two states), but they are different databases and hacking both would require a customized approach by a single hacker"

What's the point of hacking two databases to get the same information?

The point is to assemble everyone's data would require hacking 50 plus databases whereas a single master database just requires a single hack. Don't put your eggs in one basket in other words.

Any information that must be given to a government or corporation is, in effect, public, at least in the bad ways though not in the good ways. That means it can be assumed that it will be available not only to the entity that demands the data, also to entities powerful enough to do deals with it, and to organised criminals.

This is not in intself a problem. There might be no problem for me if the Russian spies and local motorcycle gangs know my home address, phone numbex tax ID. The problem is that the marketing/political messaging is totally different, when voters are told to discolse such things they are told "we take your privacy seriously and will not share this info".

We don't know to what extend data-collectoin projects will be tolerated people were told the truth that "we will share this data with the mob, but use your privacy as a fig-leaf to strategically withold it from freedom of information requests when we are in trouble".

Not only will the Russian computer-motorcycle gangs get the information, they will mainipulate it. Then it will be a big problem for you.

You have to love the guy calling himself Anil Kumar

I wonder how many times his identity has been stolen?

This follows the Intel story nicely. Another in the same vein was problems in the Estonian public key system

Humans need data security but are bad at data security.

What to do?

Maybe you have to rely on the biometrics. Even if an iris scan is stolen, it is still hard to fake.

What to do? Stop thinking that information on every citizen is important. Stop passing legislation that requires it. Delegate the personal contact needs to local jurisdictions.

Suspend all e-commerce?

Biometrics have limited uses. They are easy enough to fake. Once it is known, you can't change your biometric password.

I was thinking "in person," and let me point this at your actual eye. Anything remote and unsupervised is harder, for sure.

A sobering looking into a worrying future.

"And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name."

Comments for this post are closed