06/11/2018 4:14 PM IST | Updated 07/11/2018 6:58 PM IST

A Rare Event: Security Experts Talk About Gemalto Retracting Report Of A Billion Aadhaar Security Breaches

Gemalto counts the UIDAI as one of its biggest clients. Retracting its report has surprised the security community, which fears the government might have arm twisted the company.

NurPhoto via Getty Images
Women scanning fingerprints as an Aadhaar registration process.

BENGALURU, Karnataka — A few weeks ago, European security company Gemalto published a report saying that there have been over a billion Aadhaar security breaches — only to retract its findings in a half page newspaper advertisement apologising to the people of India for questioning Aadhaar security.

Its report was retracted not long after the Unique Identification Authority of India (UIDAI), the agency overseeing Aadhaar, issued an advisory suspending the use of Gemalto products in the Aadhaar ecosystem due to unspecified security issues.

Sources within the company confirmed to HuffPost India that the decision to retract the report and print the apology had happened at the very top level to appease the UIDAI. The UIDAI maintained its characteristic silence.

Yet, the retraction of the report has prompted concern amongst the security community.

Sai Krishna Kothapalli, a security researcher from IIT Guwahati, told HuffPost India that the government actively discourages security experts from providing their support, rather than encouraging them. "Earlier, the government used to be very aggressive whenever someone tried to report a security vulnerability," he said. "They didn't view us as researchers but attackers. This is a very well known thing in the security community in India. Nowadays, they don't file an FIR, they just stay quiet until the news dies down, and remain in denial. As far as I know, they did not even tell their employees that their data has been accessed, in the case of a breach I reported to BSNL, or any change in policy." Vulnerabilities are left in place, rather than admitting to them, because of this attitude.

Gemalto is not a small company — the firm employs over 15000 employees with 3000 engineers focussed on research and development, and posted €3 billion in revenue last year. Last year, the company was acquired by Thales, the French industrial and aerospace giant.

Privately, the retraction of its report has been seen as bad practice. Publicly, executives from other security companies have maintained a stony silence.

Most executives from other security companies refused to comment, even when HuffPost India offered the chance for them to speak on background. McAfee said that there would be too much conflict in answering questions about the protocol of breach reports given the Gemalto incident was still fresh in memory, and said it was an ethical conflict.

The Gemalto CS500e, used for Aadhaar enrollment.

However, McAfee APAC chief technology officer Ian Yip told The Hindu that the Indian government has been doing a lot on cybersecurity. "Governments also spend a lot of money as they have to protect the interests of citizens," he said.

At the same time, Yip also expressed some reservations about Aadhaar, stating that while it has benefits, "its reach is unprecedented and needs to be measured with a level of caution."

Network Intelligence, a Mumbai-based security company founded in 2001 was one of the few which was willing to speak on the record about the implications of a security company withdrawing a report. Its clients run the gamut from ICICI bank to Adani, Vodafone, the NPCI, Sony, Walmart, and many more.

"Security companies like to put out reports because it is useful for the industry as a whole, and builds everyone's knowledge base," said KK Mookhey, founder of Network Intelligence. "Generally, independent reports are the most well respected, and there is the Ponemon Institute Data Breach report, which has different sponsors, this year it's IBM, and there is the Verizon Data Breach report, these are treated like an industry standard."

"These independent reports are very well respected, but for all security companies, the reports also are a chance to showcase the depth of their research, and gain respect in the industry," he continued. "Most companies are... most good companies are doing research and the reports help show that."

While Mookhey did not want to directly comment on the Gemalto report being retracted, he did say that in general, such a development is a very rare event. "Recently there was a story by Bloomberg about China hacking American companies through a hardware hack. This was immediately denied, Apple and Amazon which were allegedly hacked both denied it, Supermicro denied it, the NSA denied it. But Bloomberg still stands by the article despite strong rebuttals from the security community as well. Retracting a report is a drastic, last step."

Asked to speculate on why this step was taken however, he demurred, and reiterated, "Its just a very rare event and very surprising in the manner in which it was done."

Sivarama Krishnan, Leader – Cybersecurity at PwC holds that vulnerabilities exist in every system, and can be exploited.

"Following every incident, there's a huge uproar about UIDAI being breached and that it's in denial mode. However, the UIDAI denies any lapse because every vulnerability is presumed to be a breach, but it is not so," he told CSO.

Another security insider speculated that Gemalto might have been trying to hype its encryption solution as a product to UIDAI by pointing out weaknesses in its existing system, a move which backfired as the UIDAI allegedly published a circular warning partners not to use Gemalto products. However, the executive noted that this was "industry gossip" and not in any way certain, and added, "we know the decision to publish the apology didn't come from India, at least."

Another security researcher noted, "Gemalto has a lot of smart people that work for but they also have to do a lot of business with government. This feels like a case of research doing something and marketing or public affairs finding out about it later and getting upset."

Gemalto itself has however not chosen to clear up concerns about its apology. Over a week ago, HuffPost India sent Gemalto's PR team a mail requesting clarification on whether it had received any communications from the UIDAI after publishing its report, and asking it to clarify the reports it cited as 'misleading'. However, there has been no response.