Joining the growing list of infamous Indian governmental institutions and agencies, Jharkhand government has allegedly been spotted leaking the Aadhaar numbers and other personal details of thousands of governments workers on its website. The online system being used by the government to manage the attendance of all of the governmental workers in the state reportedly had no security protections and the webpages with personal details of employees were easily accessible to anyone who knew where to look for. The website is currently inaccessible.
According to a report by TechCrunch, the Web-based attendance system of the Jharkhand government has been left unprotected at least as far back as 2014. It offered details like government worker name, their photo, designation, partial phone numbers, and the Aadhaar number. The Aadhaar numbers were not directly listed on the webpage, but the website was fetching the image of the workers by sending their Aadhaar number, which are clearly visible in the URL of the image link.
The report adds that the attendance system was hosted on a sub-domain of the official website of the Jharkhand government and the same was even indexed in Google, making its accidental discovery quite possible for anyone. The cache pages of the individual government employee attendance records can be easily found in the search giant’s index. Further, anyone with even the basic knowledge of coding could scrape the entire website very easily, the report claimed citing a security researcher. Over a lakh Aadhaar numbers are said to have been left unprotected.
TechCrunch was reportedly able to verify the authenticity of the Aadhaar numbers found on the Jharkhand government website by the checking the same using UIDAI’s official tool.
Although the latest leak isn’t directly related to the Unique Identification Authority of India (UIDAI), the agency that manages Aadhaar infrastructure in the country, it shows how the Aadhaar data can become so easily vulnerable even when in hands of other governmental agencies. Also, the mere leak of Aadhaar numbers doesn’t seem very alarming, but such a database has the potential of being used by malicious parties for social engineering hacks.
Previously, an unnamed government-owned utility service provider, several government websites, and more have been found to be leaking Aadhaar related information.