Personal Data of a Billion Indians Sold Online For $8, Report Claims (theguardian.com) 68

Posted by msmash from the security-woes dept.
Michael Safi, reporting for The Guardian: The personal information of more than a billion Indians stored in the world's largest biometric database can be bought online for less than $8, according to an investigation by an Indian newspaper. The reported breach is the latest in a series of alleged leaks from the Aadhaar database, which has been collecting the photographs, thumbprints, retina scans and other identifying details of every Indian citizen. The report in the Chandigarh-based Tribune newspaper claimed that software is also being sold online that can generate fake Aadhaar cards, an identity document that is required to access a growing number of government services including free meals and subsidised grain. The Unique Identification Authority of India (UIDAI), which administers the Aadhaar system, said it appeared the newspaper had accessed only limited details through a search facility that had been made available to government officials.

    I'm trying to understand the price/value issue in play here.

  • This is a good example of what happens when you fail to invest in strong security. I'm not talking just about getting hacked, I'm also talking about employees walking off with your data and selling it. The ability to access this information should have been heavily scrutinized and limited. I'm guessing India had an amateur hour setup and has no way of tracking how this information was even taken.

    • Re:A fine example. (Score:4, Interesting)

      by Archangel Michael ( 180766 ) on Thursday January 04, 2018 @12:47PM (#55863351) Journal

      It isn't the security that is the problem, it is that we accept, blindly, that people are who they say they are. Until we assign fraud back to the lenders, credit providers, and the aggregators of such information, and not the individuals who are being spoofed by hacks such as this, we won't actually solve the problem.

      But this is done by design and will never change.

      • Indeed. A system that allows anyone to take out a loan in my name by reciting the last four digits of my SSN is not secure. Nor is a system that allows a thief to use a stolen credit card as long as he knows the 3 digit CVV code that is printed directly on the back of the card.

    • I'm guessing India had an amateur hour setup and has no way of tracking how this information was even taken.

      Maybe they outsourced it {rimshot}

