Unique Identification Authority of India (UIDAI) on Thursday denied breach or leak of Aadhaar data after a newspaper reported it bought unrestricted access to the details of over one billion Aadhaar numbers -- for just Rs 500.
"The Aadhaar data, including biometric information, is fully safe and secure," the authority said in a statement, calling the report in The Tribune "a case of misreporting".
"UIDAI assures that there has not been any Aadhaar data breach," the statement said, adding that the data was secure with a "robust uncompromised security".
The authority said it had given search facility for the purpose of grievance redressal to designated personnel and state government officials to help residents only by entering their 12-digit Aadhaar numbers.
The grievance redressal search facility, the statement said, "gives only limited access to name and other details and has no access to biometric details".
It said the authority maintains complete log and traceability of its search facility and any misuse was traceable.
"The reported case appears to be instance of misuse of the grievance redressal search facility. As UIDAI maintains complete log and traceability of the facility, the legal action including lodging of FIR against the persons involved in the instant case is being done."
The Aadhaar database "remains fully safe and secure with highest encryption at UIDAI and mere display of demographic information cannot be misused without biometrics".
It said 12-digit ID number was not secret and had to be shared with authorised agencies whenever an Aadhaar holder wishes to avail certain service or benefit of government welfare schemes.
"That does not mean that the proper use of Aadhaar number poses a security or financial threat. Also, mere availability of Aadhaar number will not be a security threat (and) will not lead to financial (or) other fraud, as for a successful authentication fingerprint or iris of individual is also required.
"Claims of bypassing or duping the Aadhaar enrolment system are totally unfounded. The UIDAI Data Centres are infrastructure of critical importance and is protected accordingly with high technology conforming to the best standards of security and also by legal provisions."
The Tribune report, which was widely shared on social media sites, claimed that it took just Rs 500 and 10 minutes for the newspaper to get an access through an "agent" to every detail of any individual submitted to the UIDAI, including name, address, postal code (PIN), photo, phone number and email.
The newspaper said it paid another Rs 300, for which the "agent" provided "software" to facilitate the printing of the Aadhaar card after entering the Aadhaar number of any individual.
The Tribune also claimed to have found in its investigation that the racket may have started around six months ago when some anonymous groups were created on WhatsApp.
These groups targeted over three lakh village-level enterprise operators hired by the Ministry of Electronics and Information Technology (ME&IT) under the Common Service Centres Scheme (CSCS) across India, offering them access to UIDAI data.
CSCS operators were initially entrusted with the task of making Aadhaar cards across the country but were withdrawn later. The service was restricted to post offices and designated banks to avoid any security breach in November last year.