Aadhaar Numbers of India’s Farmers Exposed By An Indian Government Website

According to Atul Nair, a security expert, the Aadhaar numbers of more than 110 million farmers were exposed on an Indian government website called Pradhan Mantri Kisan Samman Nidhi, an initiative by the government of India in which all farmers will get annual income support. 

He said that a website dashboard endpoint was leaking Aadhar numbers for all farmers based on region (state, district, village).

Though Aadhaar numbers are not absolutely a secret, they are considered similar to American Social Security or British National Insurance numbers. It is a 12-digit number that each Indian citizen receives as part of the country’s national identity database. After residents submit their fingerprints and retinal scans to the central database, Aadhaar is used as proof of identification, and it is frequently required for accessing state government services such as social assistance and voting. Aadhaar numbers are also used to verify identities when creating bank accounts, renting Airbnbs, driving with Uber, and using other internet services.

Nair warned that a malicious attacker could have easily gathered the farmer’s information by writing a script. He also provided a small sample of exposed farmers’ information and corresponding Aadhaar numbers that were exposed by the PM-Kisan website. According to PM-Kisan’s website, which appears to be only accessible from within India, more than 110 million farmers have registered since the initiative launched in 2019.

Nair alerted India’s national computer emergency response team, known as CERT-In, in January, and the vulnerability exposure was patched in late May. Nair also wrote a blog post about his findings.

The data leak is not a breach of Aadhaar’s core database, which is administered by the UIDAI, but it is the latest security lapse to plague the controversial national identity database, which Prime Minister Narendra Modi’s government has defended vehemently.

From a  2017 research, it was indicated that a few websites have exposed more than 130 million Aadhaar numbers and linked bank data. Several failures involving significant numbers of Aadhaar numbers have also been discovered. In 2018, journalists discovered that persons offering access to the Aadhaar database were selling Aadhaar data.