Though the Unique Identification Authority of India (UIDAI), which administers the Aadhaar, has regularly denied it, there have been several data security breaches and incidents of misuse of Aadhaar. These have been reported in the media and have come up before the courts. According to the data website, IndiaSpend, 73 incidents of the misuse of Aadhaar were reported in the English-language media until May 2018. Of these, 52 involved fake or forged Aadhaar numbers and 21 were associated with banking frauds involving the UIDAI programme.
Since September 2011, 164 cases of forged or fake Aadhaar numbers and Aadhaar-related banking frauds have been reported. This list does not include cases that have not come to the attention of the English-language media or were never reported.
Here are a few representative samples which point to the fact that all is not well with the Aadhaar system.
Diversions of funds during demonetisation: Financial news website Moneylife reported in September that there was a huge spike in deposits into Jan Dhan accounts in PSU banks following the note ban. The accounts were opened by bypassing KYC norms and were the first to be compulsorily seeded to Aadhaar numbers. According to data revealed through RTI from 18 banks, a staggering 20.8 lakh Jan Dhan accounts received more money than the stipulated Rs 1 lakh which can be deposited in a year, A single account in the United Bank of India saw a deposit of Rs 93.82 crore. Another in Bank of India received Rs 3.05 crore. Bankers suspect that many of these accounts were fake ones opened with fake Aadhaar numbers.
Fake SIM cards: In September 2018, the Delhi High Court raised an alarm over loopholes in the Aadhaar authentication system. It came to the notice of the Court following a PIL which noted that unsuspecting customers were being asked to give thumb impressions more than once on biometric machines by a mobile shop owner. This enabled the operator to generate multiple SIM cards and hence mobile connections. These connections were then used to make calls to people and induce them into signing up for fraudulent insurance schemes. The court issued notices to the Cyber Cell of the Delhi Police, the UIDAI and the Union Home Ministry. If fake SIM cards can be so easily generated, then it defeats the purpose of authentication, the court noted.
Diverting rations: In August 2018, the food and civil supplies department in Uttar Pradesh registered 22 FIRs against fair price shop owners for the misuse of Aadhaar cards to divert grains distributed through the Public Distribution System. As many as 1.86 lakh transactions took place in May and June. Aadhaar numbers of genuine beneficiaries were replaced in 43 districts with fake numbers to divert rations.
Forged Aadhaar cards and bank accounts: In March this year, the crime branch of the Mumbai police unearthed a case of 40 bank accounts being opened using fake documents, including Aadhaar cards. The case came to light when an operator who provided forged documents was raided. He revealed that 40 accounts were opened using forged documents and that they were used by import-export firms.
Diversion of LPG subsidies: Last year, Airtel Payments Bank opened 31 lakh mobile bank accounts on behalf of its mobile phone subscribers without their knowledge or consent. Into these accounts was diverted Rs 190 crore of LPG subsidies. The bank accounts were opened without the consent of mobile subscribers when they came to seed Aadhaar numbers to SIM cards. Airtel was fined Rs 2.5 crore by UIDAI.
Free access to database: Srinivas Kodali, a security researcher, discovered in April this year that the website of the Andhra Pradesh government allows easy access via the internet to Aadhaar data. It also allows the search for the personal data of families in 13 districts of the state. Such details as caste and religion were freely available. Phone numbers, bank account numbers and IIFSC codes of those enrolled were also accessible.
Major data breaches: In November last year, in response to an RTI, the UIDAI stated that “approximately 210 websites of central government, state government departments including educational institutes were displaying the list of beneficiaries along with their name, address, other details and Aadhaar numbers for information of general public.” However, it did not specify when the breach occurred, when it was detected and corrected.