ZDNet report on Aadhaar leakage through a government utility service provider


Oct 29, 2004
A new data leak hits Aadhaar, India's national ID database | ZDNet

they tried for a month to get the issue fixed before reporting. the issue was not fixed at the time of publication of this article.
they have held back the actual details of the leak. the leak was reported to them by an indian guy.

When Saini ran a handful of Aadhaar numbers (from friends who gave him permission) through the endpoint, the server's response included the Aadhaar holder's full name and their consumer number -- a unique customer number used by that utility provider. The response also reveals information on connected bank accounts, said Saini. Screenshots seen by ZDNet reveal details about which bank that person uses -- though, no other banking information was returned.

That seems to contradict a tweet by India's Unique Identification Authority (UIDAI), the government department that administers the Aadhaar database, which said: "Aadhaar database does not keep any information about bank accounts."

Another tweet on the same day by Ravi Shankar Prasad, India's minister for electronics and information technology, also said: "Aadhaar does not save the details of your bank account."

The endpoint doesn't just pull data on the utility provider's customers; the API allows access to Aadhaar holders' information who have connections with other utility companies, as well.


Feb 23, 2018
As always, Aadhaar database safe, no truth in reports of breach, UIDAI clarifies
The news report had stated that the database of the state utility company containing its customer details such as bank account numbers, consumer number, 12-digit Aadhaar number could be made accessible to outsiders and hence misused. Questioning this claim, the UIDAI, in its press release said, “Even if the claim purported in the story were taken as true, it would raise security concerns on database of that Utility Company and has nothing to do with security of UIDAI’s Aadhaar database. If one goes by the logic of ZDNet’s story, since the Utility company’s database also had bank account numbers of its customers, so would that mean that all Indian banks’ databases have been breached? The answer would obviously be in negative.”


May 28, 2018
a tweet from a Member of Parliament - Source

"@Swamy39: In California I learnt that for $50 any software specialist can download anyone’s Aadhar personal data"