B’luru Hacker Piggybacked on Govt Server to Access Aadhaar Data
Days after an IIT Kharagpur graduate was arrested in Bengaluru for stealing Aadhaar data, the city's cyber crime police have revealed how the software engineer managed to illegally access data of thousands.
31-year-old Abhinav Srivastava, who had created an eKYC verification mobile application, allegedly accessed Aadhaar data by illegally impersonating a government server. The police say that he hacked into an e-hospital server to use it as a channel to get Aadhaar information for his mobile application.
Bengaluru police say that the IIT-graduate had exploited weak security protocols of the e-hospital system, a government server, for easy access UIDAI data. A senior officer, however, added that data servers of the UIDAI were not compromised.
Abhinav Srivastava’s app, eKYC verification, provided verification of UIDAI data. The e-hospital system was a server hosted by National Informatics Centre (NIC), which had tied up with the Unique Identification Authority of India (UIDAI) for Aadhaar authentication services. The lack of Hypertext Transfer Protocol Secure (HTTPS), which is a secure version of HTTP (Hypertext Transfer Protocol), in the e-hospital server made the hacking easier, said investigators.
Despite the police’s assurance that database on the UIDAI was not compromised, concerns about its vulnerability remain. There are several government servers that use UIDAI data, but lack the security measures to prevent any breaches, leaving UIDAI susceptible to cyber attacks.
“All verification requests for his illegal app were made through the e-hospital server. As the verification requests were coming from the e-hospital server, the UIDAI database provided him with information. This use of Aadhaar data happened between beginning to January to end of July,” said a senior police officer.
How many people have accessed Aadhaar data using eKYC app is still being investigated, said the cops. They, however, added that Srivastava’s app had revealed details such as name, address, and phone number of several individuals, from the UIDAI database.
During questioning, Abhinav insisted that he was not a criminal, but was trying to make a useful mobile app. Cops also added that his Android mobile app was downloaded over 50,000 times and he made a revenue of Rs 40,000 from the ads as well.
(We all love to express ourselves, but how often do we do it in our mother tongue? Here's your chance! This Independence Day, khul ke bol with BOL – Love your Bhasha. Sing, write, perform, spew poetry – whatever you like – in your mother tongue. Send us your BOL at firstname.lastname@example.org or WhatsApp it to 9910181818.)