Aadhaar data not misused in Axis Bank case: UIDAI
New Delhi: The Unique Identification Authority of India (UIDAI) clarified on Sunday that there has been no misuse of Aadhaar biometrics and no financial loss with respect to the recent data breach of Axis Bank along with business correspondent Suvidhaa Infoserve and e-sign provider eMudhra.
It further reiterated the importance of keeping data safe by stating that no unauthorised party can store or share the information obtained by biometric authentications using Aadhaar on its own without the consent of the individual.
“It is an isolated case of an employee working with a bank’s Business Correspondent company making an attempt to misuse his own biometrics which was detected by UIDAI internal security system and subsequently actions under the Aadhaar Act have been initiated,” according to a statement by UIDAI.
On 15 February, UIDAI filed a police complaint for attempted unauthorized authentication and impersonation by illegally storing Aadhaar biometric data.
According to an Axis Bank spokesperson, a developer from Suvidhaa carried out four live Aadhaar-based authentications even when the testing phase for them was going on.
The breach was noticed after one individual was found to have performed 397 biometric transactions between 14 July 2016 and 19 February 2017. Of these, 194 transactions were performed through Axis Bank, 112 through eMudhra and 91 through Suvidhaa Infoserve.
Following the complaint, all the 3 entities submitted their reports on the matter to UIDAI on Monday. While UIDAI was looking into the matter , all Aadhaar-based transactions of the 3 entities were temporarily halted.
The authority has stated that any unauthorized capture of iris or fingerprints or storage or replay of biometrics or their misuse is a criminal offence under the Aadhaar Act. Only Authentication User Agencies (AUAs) and e-KYC User agencies (KUAs) through authorized Authentication Service agencies (ASAs), as per the Act, are permitted to carry out KYC of customers.
Some banks and telecom companies hire unauthorized private agencies for these biometric authentications /e-KYC which leads to storage of data in parallel databases outside the purview of any privacy law. UIDAI states that such banks and telecom companies have to first become their AUA or ASA in order to retrieve any e-KYC information of their customers from them.
Any information provided by UIDAI will only be disseminated with the proper consent of the individuals to these agencies. The agencies must use the information only for the purpose for which it was obtained.