European digital security firm Gemalto on Saturday published a half page newspaper advertisement where it apologised to "the people of India" for publishing a report that there were over a billion data breaches of the Aadhaar database.
In its report, issued on October 15, Gemalto wrote: "During the first six months of 2018, almost 1 billion records were compromised in Aadhaar breach incident, including name, address and other personally identified information. This is particularly concerning, since the stolen, lost or compromised data records of only one out of 12 breaches were protected by encryption to render the information useless, a zero percent compared to the first six months of 2017."
The company soon retracted its report, and in its apology said it had taken into account an unverified news article. The company further added that it had not been able to track any verified data breach of the Aadhaar database, despite the fact that news organisations in India and around the world have published countless instances of Aadhaar data being leaked, along with screenshots.
It also wrote, in a statement signed by CEO Philippe Valiée: "through the publication of this report, Gemalto has caused prejudices in the minds of the general public at large against Aadhaar, which we deeply regret."
Gemalto's apology also fails to mention is that the UIDAI is a long-time client of Gemalto's—the European company is a supplier of biometric hardware for the Aadhaar project, and its report mentioning breaches could have had an impact on the business relationship. HuffPost India has reached out to Gemalto with questions about its apology, and will update this article on receiving a response.
According to Gemalto's website, the roots of Gemalto's involvement in the Aadhaar project stretch right back to the very beginning. It supplies biometric devices for both fingerprint and iris scans to the UIDAI. Its CS 500e lightweight ten print scanner is used to capture a person's fingerprint data for enrolment. It also has the CIS 202 Dual Iris Capture Scanner, which allows enrolment agencies to capture both irises at the same time, and includes liveliness detection.
Gemalto also supplies its CSD200i which is used for authentication. This optical fingerprint reader can capture a single fingerprint at a time, which can then be sent to the UIDAI to authenticate against the Aadhaar database.
Following the Supreme Court's Aadhaar verdict, Gemalto's VP APAC sales, identity and data protection Rana Gupta also said, "Irrespective of how this journey evolves, Gemalto's 3-step secure-the-breach suite of solutions will continue to facilitate data-protection through encryption, key management and secure authentication."
Beyond this potential conflict of interest, a circular has surfaced on Twitter that could shed further insight into the matter. However, this has not been verified by the UIDAI right now. The UIDAI website has also not published any circulars since September 5, and the latest document available on the website is from October 1, which is informing telcos about the discontinuation of Aadhaar based e-KYC.
If the circular is true though, it raises troubling questions. The circular, dated October 17, two days after Gemalto publicised its research, says that the UIDAI has learnt about security issues in Gemalto products, and advises ecosystem partners to halt procurement of Gemalto biometric devices.
This raises questions about whether the UIDAI arm-twisted Gemalto to retract its report; and even if that's not the case, given that Gemalto has had a long association with the UIDAI, it raises questions about the validity of enrolments and authentication done using Gemalto hardware.