UIDAI said that No Breach or Compromise has taken place in UIDAI servers. The CIDR and people’s Aadhaar and biometric data remain safe and secure
Unique Identification Authority of India
17th April 2019
New Delhi: Unique Identification Authority of India (UIDAI) has dismissed the news reports about alleged theft of data of 7.82 crore residents from UIDAI’s Central Identities Data Repository (CIDR) which has been published in a section of media in connection with the news relating to the FIR filed against IT Grid (India) on the basis of a complaint by Telangana Police.
UIDAI said that it’s CIDR and servers are completely safe and fully secure and no illegal access was made to its CIDR and no data has been stolen from its servers.
UIDAI has filed a complaint on the basis of a report from Special Investigation Team (SIT) of Telangana Police that IT Grid (India) Pvt. Ltd has allegedly obtained and stored Aadhaar numbers of large number of people in violation of the provisions of the Aadhaar Act. Nowhere in the report, the SIT has found any evidence to show that the Aadhaar number, name, address, etc., of the people have been obtained by stealing them from UIDAI servers.
UIDAI clarified that service providers usually collect Aadhaar number, name, address, etc., directly from individuals for providing services. They are required under the Aadhaar Act and Information Technology Act to use these sensitive information only for the purpose for which such information has been collected and are not allowed to share further without the consent of the Aadhaar holders. If they violate the provisions of Aadhaar Act in collection of Aadhaar numbers from people, their storage, usage, and sharing, they are liable to be prosecuted under the Aadhaar Act.
UIDAI said that through the FIR, the police has been requested by UIDAI to investigate as to for what purpose the Aadhaar numbers were collected from the people by IT Grid (India) and being stored and used by the company and whether any provisions of Aadhaar Act have been violated. The alleged incident has nothing to do with UIDAI’s data and servers.
UIDAI explained that the alleged illegal storage and misuse of Aadhaar numbers by IT Grid (India) Pvt. Ltd are being wrongly projected by a section of media as if Aadhaar servers have been compromised. It is akin to a case if a company is found to be unauthorisedly storing bank account numbers of people, can one claim that the bank servers have been compromised? The answer will be obviously no. The company which is unauthorisedly storing bank account numbers of people will face prosecutions under relevant banking and Information Technology and data protection laws. Same is being done against IT Grid (India) in this case.
UIDAI further clarified that mere possession and storage of Aadhaar numbers of people, though may be an offence under the Aadhaar Act under some circumstances, does not put the Aadhaar holders under any harm in any manner whatsoever because for assessing any Aadhaar based services, biometrics or One Time Password (OTP) is also required. Just like somebody merely knowing the credit card number cannot harm the credit card holder because for using it one requires PIN as a second factor authentication. Similarly, merely knowing Aadhaar number does not put the Aadhaar holder to any risk because for using it, biometric or OTP is required as second factor authentication.
UIDAI said that it is absolutely clear from the above that no breach or compromise has taken place in UIDAI servers. The CIDR and people’s Aadhaar and biometric data remain safe and secure. People should reject the fear mongering and false news being propagated by few vested interests in this regard.