Aadhaar database exposure

In January 2018, journalists at Tribune India demonstrated that for 500 Indian rupees (~$8 USD) and a 10-minute WhatsApp conversation, anyone could obtain working credentials to a Unique Identification Authority of India (UIDAI) portal returning full personal records keyed on any of the country's ~1.1 billion Aadhaar numbers.

The disclosure landed amid an ongoing constitutional challenge to Aadhaar itself and forced a national reckoning over India's biometric ID infrastructure.

What happened

Aadhaar is India's national biometric ID programme — at the time the world's largest, covering ~1.1 billion residents with fingerprint and iris records linked to a 12-digit identification number. Aadhaar is required for tax filing, welfare distribution, mobile-phone SIM registration (at the time), and bank account opening. Linking Aadhaar to those systems makes the database the universal identity primitive for the Indian state.

Tribune India reporter Rachna Khaira investigated underground reports that Aadhaar records were available for purchase. The reporting process:

• Khaira contacted a seller via a Telegram / WhatsApp group circulating in the carding community.
• Paid 500 rupees (~$8 USD) through Paytm.
• Received within 10 minutes functional login credentials to a UIDAI portal.
• Used those credentials to query any 12-digit Aadhaar number and receive in response: name, address, date of birth, gender, phone number, email, photograph, and the entire profile bound to that ID.

For an additional 300 rupees (~$5 USD), the seller offered software that produced printable Aadhaar cards from the queried data.

The mechanism appears to have been insider misuse: UIDAI had distributed portal credentials to thousands of enrolment operators and authorised agents across India for legitimate biometric-enrolment work. Some of those operators had resold their credentials on the criminal market — meaning the breach was not a single point of intrusion but a distributed insider-misuse problem affecting the access-control model itself.

Aftermath

UIDAI's initial public response was to deny the breach and file a First Information Report (criminal complaint) against Khaira and the Tribune newspaper for the journalism. International press attention and editorial outcry forced a partial reversal — the FIR was narrowed to the seller and intermediaries rather than the journalists, but the threat-against-press posture became part of the public memory of the incident.

The Indian government and UIDAI subsequently:

• Revoked enrolment operator credentials for thousands of agents.
• Introduced new access-control mechanisms with biometric authentication required for every portal query.
• Imposed audit logging on operator queries.

The constitutional case Justice K.S. Puttaswamy v. Union of India culminated in September 2018 with the Indian Supreme Court upholding Aadhaar's constitutionality for government welfare schemes but striking down mandatory linkage to private services (telecoms, banks). The 5-0 ruling explicitly cited the Tribune disclosure and broader Aadhaar security concerns as motivating the restrictions.

Records exposed

Strict scope is hard to bound, because the breach was a sale of access, not a single bulk exfiltration. Functionally, any of the 1.1 billion Aadhaar records was queryable by paying for credentials. UIDAI maintains that no bulk database dump occurred and that fingerprint / iris biometric templates were not exposed — only the demographic and contact data.

The 1.1 billion figure in this entry reflects the scope of the exposure, not the count of records actually queried, which is unknowable.

Why it matters

Aadhaar is the canonical case for national biometric ID systems and distributed-insider risk. It established:

• That identity systems at billion-record scale require fundamentally different access-control architecture than enterprise databases. The credential-distribution model that worked for enrolment did not survive contact with criminal markets.
• That insider misuse via low-value credential resale can produce breach-scale exposure without any "hack" in the conventional sense.
• That the interaction between state-mandated ID linkage and national breach exposure is a first-order policy issue. The Supreme Court's restriction on private-sector Aadhaar linkage was a direct consequence.
• That threatening journalists with criminal complaints for breach reporting is a counterproductive state response. The Tribune-FIR episode is now a reference case in press-freedom analysis of cybersecurity disclosure.

The Aadhaar incident catalysed India's Digital Personal Data Protection Act (DPDPA), passed in 2023, which provides the first comprehensive data-protection framework for Indian residents and includes specific provisions on identity-system operators.