The leak of confidential information of more than a million citizens from a Jharkhand government website exposes systemic vulnerabilities in India’s much-touted e-governance framework, experts have said.
The warnings come after the Jharkhand Directorate of Social Security published on its website 1.4 million names, addresses, bank account details and Aadhaar numbers. Twenty-four hours after the breach was noticed by media outlets, officials had no idea how the details made it onto the website unsecured, but they had taken the page offline.
“User education is not adequate at this point in time to match the rate at which security-related risks are growing,” said Subhashis Banerjee, professor of Computer Science at the Indian Institute of Technology, Delhi.
Banerjee explained that while the Centre and states are gathering more and more data about citizens to ensure government schemes reach intended beneficiaries, departments that hold this information are ill-equipped to maintain and safeguard these sensitive databases. “Even the government is not fully aware of what it is doing,” he said.
The introduction of Aadhaar-seeding, to inter-link these discreet databases, has only exacerbated this vulnerability as a leak in one database could leave a citizen’s entire digital life vulnerable to a hack.
“It [Aadhaar] can be used to correlate and find out the identity of an individual very easily,” said Banerjee, “Availability of these databases enables adversaries to keep a tab on individuals unless special precautions are taken to prevent this.”
The Unique Identification Authority of India (UIDAI), which oversees the Aadhaar framework, insists that its servers are impervious to attack, but most leaks are likely to come from an attack on the weakest link of the Aadhaar chain: thousands of insecure computers maintained by rickety block-level government offices across the country.
In Jharkhand, for instance, cyber security experts had long warned that many websites maintained by the state government were insecure.
“We had demonstrated these vulnerabilities to the state government in December,” said Vineet Kumar, a former member of Jharkhand police’s cyber cell, who has since set up the Cyber Peace Foundation, an NGO.
Officials at the Jharkhand IT department acknowledged the vulnerabilities of their websites, but pointed out that this particular lapse occurred on a website managed by the National Informatics Centre, India’s premier e-governance provider.
“The NIC has been taking care of all the technical aspects of Aadhaar related issues for us. They have been doing it since 2014, but this is the first time that such a leak has occurred on the website,” said Ram Parvesh, Director for Social Security, adding that his department had called for a meeting with NIC on Monday to solve the problem.
“Jharkhand-type leaks could happen anywhere,” said an official who works closely with the Ministry of Rural Development, “In many states, each department has its own IT vendors who build the software that stores this information. There is no common security standard across states and departments.”
This multiplicity of software solutions and private service providers, the official said, also made it difficult to implement nation-wide fixes once vulnerability had been discovered in one state.
“So even if we fix Jharkhand’s problem, we can’t simply upgrade all systems to ensure a similar problem does not occur in a different department in a different state,” he said.
The UIDAI declined comment on this story. An official statement on the Jharkhand leak is expected on Monday.