Indian newspaper The Tribune reported today that India’s national ID program has been breached, but the Indian government has rejected the paper’s claims.

In its report, The Tribune said that it was able to buy access to an illegal database of citizen personal information for less than $8 (500 Indian rupees). According to the paper, the data came from a breach of India’s voluntary national ID program, Aadhar, which allows citizens to sign up for a unique 12-digit ID number.

The goal behind Aadhar, according to the Unique Identification Authority of India, is to protect citizens from identity theft and make it easier for them to access welfare and other government services.

Aadhar’s database includes a host of personal data, since citizens must provide personal information when registering, as well as fingerprints for each finger, iris scans of both eyes and a facial photograph. The Tribune said that it could not access biometric data, but it could look up citizens’ personal data such as their home address and date of birth. The paper said that for an additional payment of less than $5 (300 Indian rupees), it also acquired software that allowed it to print fake Aadhar cards.

Shortly after The Tribune published its report, UIDAI’s official Twitter account posted a string of tweets denying the paper’s claims:

Tribune’s Story ‘Rs 500, 10 minutes, and you have access to billion Aadhaar details’ is a case of misreporting. No biometric data breach. Some persons have misused demographic search facility, given to designated officials to help residents who have lost Aadhaar/Enrollment slip to retrieve their details. UIDAI maintains complete log & traceability of the facility, any misuse is traceable. Legal action taken, including FIR against persons involved. Search facility gives limited access to name & other details, has no access to biometric details. There has not been any data breach of biometric database which remains fully safe & secure with highest encryption at UIDAI and mere display of demographic info cannot be misused without biometrics.

The Bharatiya Janata Party, India’s largest political party, also denied The Tribune’s report and called the story “FAKE NEWS!” on Twitter.

Photo: @BJP4India/Twitter

The Tribune fired back with a rebuttal of its own, pointing out that UIDAI’s own statement of an “instance of misuse” admits that Aadhar has been illegally accessed and that citizens’ personal information is compromised. The paper also criticized the UIDAI’s statement that Aadhar information is useless without biometric data, and it accused UIDAI of of believing that the “giving away of personal data is of no serious consequence.”

Photo: Visual Content Data Security via photopin (license)