Reliance Jio data breach that has been widely reported in the media as one of the biggest data breaches in the telecom industry in India which, in all likeliness, is one of the largest data hacks of personal information across industries in India too.
While privacy activists and concerned citizens are actively debating over the security issues with Aadhaar card, magicapk.com revealed a database of several million Jio subscribers which includes their name, mobile number, email ID and Aadhaar number.
Although the Aadhaar number wasn’t available on the website at the time the hack was reported, a blank parameter for the same was, which has led many to believe that the hacker might be in possession of Aadhaar card numbers.
The website is now inactive but is believed to have gone live on June 9, 2017, at around 6 pm (IST) and soon after making it to the headlines, the website was taken down.
Reliance Deems the Hack ‘Inauthentic’
In an earlier statement, Reliance has blatantly branded the data leak as ‘inauthentic’ and assured their subscribers that ‘their data is safe and maintained with the highest security’.
While there had been speculations that data of only the early subscribers of Reliance Jio was leaked — confirmed by our report at Guiding Tech — a report by Indian Express claims that “details of numbers bought as late as last week are up on the site”.
Given that Reliance Jio currently has north of 120 million subscribers in the country, the number of customers whose data has been hacked might run in tens of millions or even more.
How Does the Leak Affect Me?
While the Aadhaar card number of the people whose information appeared in the database wasn’t available, the first name, middle name, last name, mobile number, email ID, Circle ID, and SIM activation date and time were available freely. And all that was needed to fetch this information is a Jio phone number.
To most of us, this information even if shared publically doesn’t seem as harmful but may lead to a lot of spam calls and messages on your mobile phone number and phishing attacks on your email ID.
The current ‘magicapk-Jio leak’ hasn’t doled out any Aadhaar information that we’re aware of, but the main point to note here is the possibility of Aadhaar biometrics leak and its implications.
What Are the Bigger Implications? Aadhaar Biometrics!
Although there has been no indication that Aadhaar details of Jio customers have been leaked in the magicapk.com hack and leak, the government needs to put strict guidelines in place to implement a new and robust security framework, especially for organisations which need Aadhaar information of a citizen.
Since Aadhaar card not only carries personal information but also biometric data of more than a billion Indian citizens, there is no debating the fact that the information needs to be kept securely.
Biometrics such as fingerprints are not a preferable option but is largely being used to identify as well as secure the data of people — including our smartphones and laptops these days.
In extreme cases, if the Aadhaar data of a person is stolen, the same fingerprints from the biometrics can be used to implicate the said person in a crime by planting the stolen fingerprints on the crime scene.
While this might seem far-fetched, lack of a good security framework will make this possible for anyone with means and knowledge of the deep web where such information is sold for a nominal price.
While the government already has a solution to secure your biometrics on the UIDAI website which enables a ‘biometric lock’ on your profile — preventing your biometric from potential misuse — this will also lock you out of using certain services integrated with Aadhaar which need biometric authentication.
“This system will enable Resident to lock and temporarily unlock their biometrics. This is to protect privacy and confidentiality of Resident’s Biometrics Data,” the UIDAI website reads.
Linking Aadhaar to Multiple Services Increases Vulnerability
Aadhaar is arguably aimed at providing added comfort to its citizenry while accessing services but in the absence of a secure online framework, it’s also leaving the Aadhaar data vulnerable to attacks by hackers.
Since people are required to link their Aadhaar information in order to gain unrestrained access to a service within minutes, it’s also important that the service provider in question maintains a secure framework for storing the data provided by customers while linking their Aadhaar information.
In the absence of effective security measures, it becomes easier for a perpetrator to access Aadhaar details as the avenues to procure the data increases by the number of times a person has linked his Aadhaar details to a unique service provider.
Another valid argument put forward by a report in The Wire is that the servers holding the Aadhaar database can also be challenged with a DDoS attack, which could result in a number of essential services that are linked to the Aadhaar being rendered unavailable.
Over the period of past few months, the government has initiated drives that need to integrate your Aadhaar number with a service provider to avail the benefits — making the integration compulsory in a few cases.
And now as an increasing number of telecom operators are asking for Aadhaar ID to be linked with mobile numbers, the government needs to implement guidelines for a secure framework which all these companies will have to abide by in order to be able to procure and keep the Aadhaar data secure.
There is no doubt that creating a unified database to authenticate the identity of its billion-plus and growing citizens and integrating it with essential services will form a more organised administration system with much lesser fallacies — in the light of recent malware attacks — it’s important that the government takes the security of this sensitive database seriously in order to avoid a major calamity in the digital era.