UIDAI hits back at Gemalto for attempt to discredit Aadhaar; bans buying Gemalto machines
The government has advised Aadhaar ecosystem partners against procuring devices from digital security company Gemalto over security concerns. The rap came close on the heels of a report by the Amsterdam-based firm which claimed India has the second-highest data breach incidences in the world on account of compromise in Aadhaar database. The report was later withdrawn and Gemalto issued a public notice apologising for the "publication of this erroneous report".
Gemalto's devices like hardware security modules (HSM), biometric devices, etc are used in the Aadhaar-based payments. In a letter to all ecosystem partners, the Unique Identification Authority of India (UIDAI) said that it has found some security issues in existing Gemalto products, which warrants further evaluation of the potential risks they pose to the Aadhaar network. The Aadhaar-issuing authority has suspended all future procurements of biometric and digital security devices from Gemalto till this evaluation is complete.
The government ban on procuring Gemalto products for the Aadhaar network came two days after Gemalto published a report claiming massive data breaches in India's biometric unique identity system.
Earlier this month, Gemalto said in its Breach Level Index report that incidences of data breach were second-highest in India on account of a data breach in the Aadhaar database which was exposed by a daily newspaper. The survey claimed that India accounts for 37 per cent of the global breaches in terms of records compromised or stolen or revealed, after the United States which represents 57 per cent of data breaches worldwide.
"During the first six months of 2018, almost 1 billion records were compromised in Aadhaar breach incident, including name, address and other personally identified information. This is particularly concerning, since the stolen, lost or compromised data records of only one out of 12 breaches were protected by encryption to render the information useless, a zero percent compared to the first six months of 2017," Gemalto had said in the report which was later withdrawn.
Gemalto had based its claims of data breaches in the Aadhaar network on The Tribune report back in January which said that an anonymous service was granting access to the entire Aadhaar database in exchange of only Rs 500. The UIDAI had quashed these reports and filed a police complaint against reporter Rachna Khaira who did the story and people who she contacted during her investigation.
Later, within twelve days of publishing the Breach Level Index, Gemalto issued a public apology via newspapers for the report which claimed a data breach in the Aadhaar database. "Gemalto published an inaccurate Breach Level Index report and press release that included a news article about an alleged and unverifed Aadhaar data breach," the company said in a notice titled 'Gemalto apology to the People of India'.
"Through the publication of this report, Gemalto has caused prejudice in the minds of the general public at large against Aadhaar which we deeply regret. We never intended to malign Aadhaar, India's prestigious identity mission project, by unknowingly committing the mistake. We are launching an internal investigation and will take additional appropriate action internally," Gemalto CEO Philippe Vallee said in the statement.