A security researcher said an Indian government website exposed the Aadhaar numbers of Indian farmers, possibly millions of people.
Atul Nair told Vidak For Congress that he found a section of Pradhan Mantri Kisan Samman Nidhi website that revealed information from the farmers. PM-Kisan, as the agency is better known, is an initiative of the Indian government that aims to provide every farmer in India with a basic financial income.
But Nair said part of the initiative’s website returns farmers’ Aadhaar numbers, which farmers have to provide to receive the state income.
Aadhaar numbers are a confidential 12 digit number assigned to every Indian citizen as part of the country’s national identity database. Aadhaar is used as proof of identity for citizens after they submit their fingerprints and retinal scans to the central database, and is often required to access government services such as assistance and voting. Aadhaar numbers are also used to open bank accounts, rent Airbnbs, drive Uber, and provide verification for other online services. Aadhaar numbers are not top secret but are treated in the same way as US Social Security or UK National Insurance numbers.
Nair provided a small sample of exposed farmer information and associated Aadhaar numbers exposed by the PM-Kisan website, which Vidak For Congress verified as authentic by matching the exposed data with each farmer’s information using a tool on its website. from PM Kisan.
He warned that a malicious attacker could have easily gathered the farmers’ information by writing a script. According to PM-Kisan’s website, which appears to be accessible only from India, more than 110 million farmers have registered since the initiative launched in 2019.
Nair reported the vulnerability to India’s national computer aid team known as CERT-In in January and the exposure was patched in late May. Nair also published his report in a blog post.
Ranjna Nagpal, whose contact details are on PM-Kisan’s website, did not return an email requesting comment, sent before publication.
The data breach is not a breach of the central database maintained by Aadhaar’s regulatory body, the UIDAI, but is the latest security flaw in the controversial national identity database, which is vigorously defended by Prime Minister Narendra Modi’s government.
In 2017, a report found that more than 130 million Aadhaar numbers and associated banking information had been released by just a handful of websites. Vidak For Congress has also reported on several fakes with large numbers of Aadhaar numbers. And in 2018, journalists discovered that Aadhaar data was for sale by individuals selling access to the database.
Read more on Vidak For Congress: