NEW DELHI—On Tuesday, HuffPost Indiapublished the results of a three-month-long investigation about a serious breach in the security of the Aadhaar identity database. The investigation revealed that the data stored by the Unique Identification Authority of India (UIDAI) has been compromised by a software patch that disables critical security features in the enrolment software.
The findings of our investigation were endorsed by reputed international experts.
The UIDAI was asked for a response three months before the story was eventually published, followed by a reminder shortly before publication. They chose not to respond.
After the story went viral, and opposition leaders called for an inquiry, the UIDAI has issued a series of tweets dismissing our story.
We stand by our story.
HuffPost India made three key claims in the story, which were validated by an expert analysis of the code:
- The software patch lets a user bypass critical security features such as biometric authentication of enrolment operators to generate unauthorised Aadhaar numbers.
- The patch disables the enrolment software's in-built GPS security feature (used to identify the physical location of every enrolment centre), which means anyone anywhere in the world — say, Beijing, Karachi or Kabul — can use the software to enrol users.
- The patch reduces the sensitivity of the enrolment software's iris-recognition system, making it easier to spoof the software with a photograph of a registered operator, rather than requiring the operator to be present in person.
- The UIDAI has not responded directly to any of these claims.
Rather, it has simply stated that its systems are completely secure without any supporting evidence.
Needless to say, we stand by our story.