Digital identities of more than a million citizens have been compromised by a programming error on a website maintained by the Jharkhand Directorate of Social Security.
The glitch revealed the names, addresses, Aadhaar numbers and bank account details of the beneficiaries of Jharkhand’s old age pension scheme.
Jharkhand has over 1.6 million pensioners, 1.4 million of whom have seeded their bank accounts with their Aadhaar numbers to avail of direct bank transfers for their monthly pensions.
Their personal details are now freely available to anyone who logs onto the website, a major privacy breach at a time when the Supreme Court, cyber-security experts and opposition politicians have questioned a government policy to make Aadhaar mandatory to get benefits of a variety of government schemes and services.
When HT reporters logged onto the site, they could drill down to get transaction-level data on pension paid into scores of pension accounts.
The publishing of Aadhaar numbers is in contravention of Section 29 (4) of the Aadhaar Act. Earlier this year, the Unique Identification Authority of India (UIDAI) blacklisted an Aadhaar service provider for 10 years for publishing the Aadhaar number of MS Dhoni, former captain of the Indian cricket team.
The authority has also filed at least eight police complaints in the past month against private parties for “illegally collecting” Aadhaar numbers of citizens – information that the Jharkhand government has now put into the public domain. UIDAI did not respond to queries sent by HT.
At present, the Supreme Court is considering the legality of a government decision to make it mandatory to provide an Aadhaar number when filing income tax returns.
In Jharkhand, officials were surprisingly sanguine about the breach, suggesting that they had been aware of the situation for several days.
“We got to know about it this week itself. Our programmers are working on it, and the matter should be addressed very soon,” said MS Bhatia, secretary of the state’s social welfare department.
Bhatia declined to comment on the legal implications of publishing this information.
“Will the CEO of UIDAI take any action against the government of Jharkhand for making this dataset public? And if they don’t, does that mean they condone this act?” said Pranesh Prakash, policy director at the Centre for Internet and Society.
The data breach, senior Congress leader Jairam Ramesh said, “makes a complete mockery of all that Jaitley and Ravi Shankar Prasad have said in Parliament.”
Problems with Aadhaar-based authentication and enrollment, Ramesh added, had also meant that many vulnerable people had been denied their legally mandated welfare entitlements.