Following the Tribune report today about the massive Aadhaar security breach and the subsequent reveal of the investigation, Beebom has managed to unearth new information from the alleged person behind the leak, based on the details revealed in the original investigation.

The Tribune article clearly mentions the mobile number used to communicate with the alleged seller of the Aadhaar info, who transferred over access to a portal revealing all the Aadhaar details in exchange for Rs 500. With a billion account details leaked, this is the largest Aadhaar security breach in India.

Tribune's Investigation TImeline
Screenshot of the Tribune’s Investigation Timeline (Image reproduced from www.tribuneindia.com)

However, on contacting the alleged individual (name redacted as we were given a different name from the one mentioned by Tribune), Beebom was informed that the service was temporary and it’s no longer available, like it was for the Tribune reporters. Beebom contacted the numbers mentioned in the screenshot above.

The Gujarat Connection

In a telephonic conversation, the alleged seller explained in Hindi exactly how he got involved in this arrangement and insisted that such a deal is no longer on the table. The person, who hails from Punjab, said that his usual work is as a go-between for Chartered Accountants and individuals, arranging documents for PAN applications, tax return filings, etc. He also involved in arranging documents for United Trust of India policies and was part of a WhatsApp group, which kept him updated on developments here. This is where he allegedly met the individual who would turn him on to selling Aadhaar details.

Biometric Data Collection For Aadhaar
Biometric Data Collection For Aadhaar (Image: Biswarup Ganguly / Creative Commons Attribution 3.0 Unported

The seller told Beebom about another alleged tout from Gujarat who contacted him through the UTI WhatsApp group to bring them in on the scheme. The person from Gujarat informed him about the possibility of earning some money on the side by selling Aadhaar information on to interested parties. The arrangement allegedly began in September 2017 and has now shut down, according to the alleged seller we spoke to. Before the call ended, he reiterated how the operation had shut down after an acquaintance informed him about the illegal nature of the ‘service’.

Government’s Official Response

The Unique Identification Authority of India, or UIDAI, issued an official statement denying the Aadhaar security breach. “The Aadhaar data including biometric information is fully safe and secure,” the body said. It maintained that Aadhaar security was well-designed, and had there’s a multi-layer approach with a robust security system in place. They added that it’s been upgraded regularly to maintain the highest level of data security and integrity.

“UIDAI maintains complete log and traceability of the facility and any misuse can be traced and appropriate action taken. The reported case appears to be instance of misuse of the grievance redressal search facility,” it claimed, as per a PTI report on NDTV.

Number Disconnected

Beebom attempted to get the number of the mysterious Gujarat agent, but subsequent attempts to reach our source failed as the number in question “Has Been Temporarily Disconnected”.

Additionally, attempts to reach the source on WhatsApp and get the further contact details of the Gujarat agent too were met with no response.

UPDATE:

Buzzfeed India corroborates our story and has more on the alleged seller. Here’s the relevant part from their report.

BuzzFeed News tracked down Kumar, who said his name was a pseudonym. Kumar told BuzzFeed News that he had provided access to the Aadhaar database to seven other people besides the Tribune reporter in the last week for Rs. 500 a pop but claimed that he didn’t know he was compromising people’s privacy and breaching the law when he did so. “I paid Rs. 6,000 (approximately $95) to an anonymous person in a WhatsApp group I was a part of to create an username and password to the Aadhaar database for myself,” he said. “I was told that I could then create as many usernames and passwords to access the database as I wanted. I sold each of them to make my Rs. 6,000 back.”

We will update the story as soon as we can reach the source once again and continue following-up to the eye-opening Tribune investigation.