The Aadhaar has been criticised for its potential to be used for surveillance, for its reliance on biometric data which can't be updated unlike PINs and passwords, and because it is steadily becoming a mandatory identity document, which you increasingly won't be able to opt-out from. Worse still, it turns out that this data is barely being secured either. A Medium post by user St_Hill talks of certain problems with the Aadhaar, and highlighted how - with just a basic Google search - you can access the private data of thousands of individuals. There is no hacking, no social engineering, or anything else involved - just one Google search, and thousands of people's private data.
With a single Google search, we were able to get access to multiple Excel sheets with data from the Ministry of Human Resource Development's website. These files are available to download with a single click, and contain detailed information about the people listed in them. All we had to do was search for "Aadhaar number name filetype:xls" and the very first page has three results from the MHRD website which contain the details of people we should not have. The first of these gave us the details of over 1,000 people who have received a scholarship from the MHRD - we could see their names, their father's names, gender, date of birth, general or SC/ ST category, Aadhaar numbers, bank account numbers, bank names and IFSC codes, and their full addresses, down to the PIN codes.
We could see their subjects, the years they passed, where they studied, and even the marks they got. With this huge amount of information, you could easily steal a person's identity using just a few phone calls.
From the next page, we got a sheet from the National Disaster Management Agency, where we could see a list of people who had received payments from the agency, along with the amount, the account number, and the bank's IFSC code, again. The list goes on and on - for example, another sheet was from Karnataka's Department of State Educational Research and Training.
There is no sophistication required to get this information. You don't need to be technologically competent, or have any special training. Anyone with access to Google has access to this information, and although we just found these sheets, someone with time and patience will find many more, because there don't seem to be any safeguards in place to protect this information.
So far we've been able to piece together people's names, phone numbers, birth dates, addresses, and Aadhaar number, along with bank account numbers and IFSC codes. Get lucky with one more sheet maybe, and you can get their PAN numbers as well. This is more than enough to carry out an identity theft - which also does not require any technological sophistication or training.
In his post, St_Hill also points out that publishing Aadhaar number information is prohibited by the 2016 Aadhaar Act. In other words, these government offices are possibly in contravention to the law in how they are storing their data. Unfortunately at this point there is no clear answer on why these documents were published in this manner, or what remedial steps will be taken now.
We also tried repeating the search with other ID documents but for whatever reason, in those cases we were only finding blank forms and guidelines, not filled documents. It's possible that with more permutations and combinations even more government documents of this sort could become available though, which is a worrying consideration.