Thousands of government employees' Aaadhaar card numbers were left exposed on Jharkhand government's website, reports TechCrunch. Jharkhand govt. used to track attendance of government workers on one of its portals attendance.jharkhand.gov.in.
According to the report, the portal wasn't password-protected letting anyone access details such as name, picture, job title and partial phone number of 166,000 workers.
12-digit Aadhaar card number of those workers were used as the file name of the photo on each record page. While this isn't a direct breach of Aadhar's central database managed by the Unique Identification Authority of India (UIDAI) governing Aadhaar, it shows security lapse by the authority responsible for protecting their employee data.
According to a French security researcher Baptiste Robert who goes on Twitter by the pseudonym Elliot Alderson, anyone can scrape the entire site in batches to download their photos and corresponding Aadhaar numbers using less than a hundred lines of Python code. Both Jharkhand government and UIDAI are yet to respond.
More than 90 per cent population have enrolled in Aahdaar, which authenticates the identity of a person to enlist in state services including voting, welfare or financial aid. Aadhaar card holders can also use their Aadhaar card number and biometric to register for a new SIM card, open a bank account and more.