Indian media recently reported a "breach" of the biometric data-linked Aadhaar national identification scheme.
While the administration governing the system apparently noticed and stopped the "breach," (which was later found to be an employee testing his own data, which he had allegedly illegally stored, and not a breach of the actual database), the fact remains that the employee was able to illegally store, and transmit, a set of biometric data, and that several security concerns relating to the collection and use of biometric data remain. Furthermore, in touting the security of any system, authorities walk a fine-line between reassuring citizens and issuing a perceived challenge to those who would exploit said system.
The Aadhaar is a 12-digit national identification number, assigned and administered by the Unique Identification Authority of India (UIDAI). The Aadhaar is randomly assigned, but it is associated with various demographic and biometric data collected when the numbers are issued:
Although the Aadhaar is nominally voluntary, it is mandatory for a number of direct benefit transfers (DBTs), and the scope of programs for which it will be mandatory looks likely to continue expanding, until all 84 such programs (which will have distributed 539.4 billion INR, roughly 8.1 billion USD in FY 2016-2017) require it.
In addition to being used for tracking DBTs, the Aadhaar is also being used as an authentication method for a widening scope of financial and sales transactions, described as Aadhaar Enabled Payment System (AEPS).
Local media reported that on February 15, UIDAI had apparently filed a police complaint against three companies, Axis Bank, Suvidhaa Infoserve, and eMudhra, for the alleged unauthorized storage of biometric data, which those involved allegedly used to attempt multiple transactions.
Although later reporting clarified that there was apparently no malicious intent - it was an employee who had stored his own data, and was testing the system - the storage of the biometric data itself was illegal.
On March 5, UIDAI issued a press release refuting or clarifying many of the claims made in reporting:
- "The UIDAI has carefully gone into these reports and would like to emphasise that there has been no breach to UIDAI database of Aadhaar in any manner whatsoever and personal data of individuals held by UIDAI is fully safe and secure."
- "So far as the incident of misuse of biometrics reported in a leading newspaper is concerned, it is an isolated case of an employee working with a bank's Business Correspondent's company making an attempt to misuse his own biometrics which was detected by UIDAI internal security system and subsequently actions under the Aadhaar Act have been initiated."
- "During the last five years, more than 400 crore Aadhaar authentication transactions have taken place and to the best of knowledge of UIDAI [emphasis added] no incident of misuse of biometrics leading to identity theft and financial loss has been taken place."
Stealing Biometric Data
It is relatively simple to steal raw biometric data, provided you have a high-enough quality photograph or access to something a target has touched. Both fingerprints and iris data have been apparently already been exploited in this manner.
Permanence of Biometric Data
Biometric data's greatest strength is also its greatest potential liability: an individual's iris is unique, but once that data is compromised, there is no way for that individual to reliably use that authentication method again - you can't email reset your eyes.
The individual whose actions ultimately led to the detection of the "breach" was apparently caught because he attempted to process several concurrent transactions with the same biometric data, as part of a test. What happens if a criminal takes precautions to avoid setting-off alarms?
Even if the UIDAI Aadhaar database is secure, is UIDAI the only institution with access to the data? Or part of the data? Do other institutions with hypothetical access have the same standards of caution? Anecdotal evidence suggests that this may not always be the case. Bureaucratic mismanagement is hardly an issue limited to India, as demonstrated by the 2014-2015 breach of the US Office of Personnel Management (OPM).
Erudite Risk offers risk management and security-related professional services for multinational companies operating in the Asia-Pacific region. With operations in India, Korea, and Singapore, Erudite Risk is ready to help you meet the challenges of Asia, the most dynamic and challenging business environment in the world.
Read a related post at The Erudite Blog:
Korea ranked 9 out of 45 countries measured when it comes to intellectual property protections, according to a recent assessment regarding various country's intellectual property protections from the US Chamber of Commerce Global Intellectual Property Center (GIPC).
The US Chamber of Commerce Global Intellectual Property Center (GIPC) recently released its assessment of 45 countries and their respective ranks for protections of intellectual property.
Keeping Data You Don’t Need Is a Recipe for Disaster. Recent revelations about the scope of Chinese hacking attacks on Korean small and medium enterprises (SMEs), may have been surprising to many, but to information security experts it is not particularly surprising news.
Though the data breaches that make the biggest news all involve large organizations and high numbers of data items, SMEs are actually at greater risk of information security breaches than large corporations because they often don’t deploy the latest software/hardware security technologies and don’t have access to the expert human resources needed to secure their organization and keep it that way.