Aadhaar ‘theft’ a one-off incident, not dangerous: UIDAI

06 Mar 2017

The Unique identification Authority of India (UIDAI) has rebutted reports of misuse and breach of security of Aadhaar data of individuals.

The UIDAI's clarification comes in the wake of reports claiming that Aadhaar data was breached and biometrics were misused for creation of parallel databases by some interested parties.

Terming such reports as ''misinformation'', the UIDAI - the agency that handles the Aadhaar project - asserted that there has been "no incident of misuse of Aadhaar biometrics leading to identity theft or financial loss".

In a 10-point statement, UIDAI said:

  • UIDAI has carefully gone into these reports (appearing in newspapers and websites) and would like to emphasise that there has been no breach to UIDAI database of Aadhaar in any manner whatsoever and personal data of individuals held by UIDAI is fully safe and secure.
  • UIDAI uses one of world's most advanced encryption technologies in transmission and storage of data. As a result, during the last 7 seven years, there has been no report of breach or leak of residents' data out of UIDAI.
  • UIDAI is continuously updating its security parameters looking at the new threats in cyberspace. It also undertakes security audits and takes necessary steps to augment its security features.
  • UIDAI has decided to have registered devices for capturing biometric data and further that such biometrics will be encrypted at the point of capture itself. This will further strengthen the security features of the Aadhaar ecosystem.
  • Referring to one incident of misuse of biometrics, UIDAI said, "It is an isolated case of an employee working with a bank's Business Correspondent's company making an attempt to misuse his own biometrics which was detected by UIDAI internal security system and subsequently actions under the Aadhaar Act have been initiated."
  • The regulations under the Aadhaar Act strictly regulate the on-boarding, functioning including the data sharing restrictions imposed on the companies which want to use Aadhaar information.
  • There are stringent provisions in the Aadhaar (Authentication) Regulations governing the usage of e-KYC data including storage and sharing, resident consent being paramount in both the cases. Any unauthorized capture of IRIS or fingerprints or storage or replay of biometrics or their misuse is a criminal offence under the Aadhaar Act.
  • Banks or mobile operators have to become UIDAI's AUA/ASAs to obtain E-KYC data of their customers from UIDAI. The E-KYC data can be given by UIDAI to these agencies only after they obtain consent of their customers and can be used only for the purpose for which it was obtained.
  • A telecom operator or a bank can obtain the E-KYC data of its subscribers or customers and will keep them in their records without biometrics and use them only for the purpose of proving relevant services. They cannot use it for any other purpose without obtaining consent of the customer. Violations of above provisions attract strict penalties under the Aadhaar Act which will be enforced strictly.
  • Aadhaar has helped more than 4.47 crore people to open bank accounts through Aadhaar E-KYC. It has enabled the government to do Direct Benefit Transfer under various schemes such as LPG Subsidy under Pahal, Scholarships, MNREGA, and Pensions. Through Aadhaar based Direct Benefit Transfers the government has saved over Rs 49,000 Crore during the last two and half years.