A security breach on a key Government portal of the Indian state of Rajasthan, exposed the sensitive documents and personal information of millions of residents, raising serious concerns about data protection at a state level in India. The vulnerability, discovered by security researcher Viktor Markopoulos, affected the Jan Aadhaar portal, a program that provides a single identifier for accessing government welfare schemes.
These vulnerabilities disclosed copies of Aadhaar cards, birth and marriage certificates, electricity bills, and income statements related to registrants. Personal information such as date of birth, gender, and father’s name was also exposed. This sensitive information could be misused for identity theft, financial fraud, or other malicious activities.
Aadhaar is a 12-digit identification number that is assigned to all residents of India based on their biometric and demographic data. The primary objective of Aadhaar is to simplify administrative processes, such as accessing government subsidies, filing taxes, and verifying identity. By providing a unique identification number, Aadhaar aims to streamline these processes, reduce fraud, and increase efficiency.
Markopoulos, working with cybersecurity firm CloudDefense.ai, identified two critical bugs in the Jan Aadhaar portal in December 2023. One bug allowed anyone to access personal documents simply by knowing a registrant’s phone number. The other flaw allowed attackers to retrieve sensitive data by exploiting weaknesses in the system’s one-time password verification process.
Despite reporting the vulnerabilities to the Jan Aadhaar Authority in December, Markopoulos received no response. After waiting a week, he decided to report the issue to the Indian Computer Emergency Response Team (CERT-In) for further assistance. according to a report by TechCrunch.
CERT-In, being the national agency for responding to computer security incidents in the country, promptly intervened and confirmed the existence of the bugs. They worked with the Jan Aadhaar Authority to fix the discovered vulnerabilities. The bugs were successfully patched up by the authorities last week, ensuring that the system is secure and reliable. Markopoulos was pleased with the outcome and expressed his appreciation for the prompt response by CERT-In in fixing the issue.
The Jan Aadhaar portal, launched in 2019, boasts over 78 million individual and 20 million family registrants. It aims to offer “One Number, One Card, One Identity” for accessing state welfare schemes in Rajasthan. However, this program operates independently of the regular Aadhaar card, a nationwide identity program managed by the Unique Identification Authority of India (UIDAI).
This security lapse in the state system adds to recent concerns surrounding Aadhaar, including a massive data breach in October 2023 that exposed the personal information of 81 crore Indians. The prompt intervention by CERT-In in resolving the vulnerabilities underscores the importance of swift responses to protect sensitive citizen data.