News

Gemalto misreports 1.2 billion Aadhaar data breach; apologizes to UIDAI

Gemalto took a U-turn on its report of the Aadhaar data breach. Buckling under pressure from UIDAI, the security major has now issued an apology statement.

Aadhaar_HP.png

In its original 2018 Breach Level Index Report, cybersecurity giant Gemalto reported that data breaches compromised 4.5 billion records in the first half of 2018. A particularly disturbing finding that stood out in the report was Gemalto’s revelation of almost 1 billion records being compromised in the Aadhar breach incident.

The report also highlighted that compromised data records of only one out of 12 breaches were protected by encryption.
In wake of UIDAI’s backlash, Gemalto updated its Breach Level Index Report. The current report now states that data breaches compromised 3.3 billion records in the first half of 2018 – a staggering 72 percent spike compared to the same time period in 2017.

Interestingly, the revised report shies away from any mention of Aadhaar data being breached, although the topic has caused a fair bit of furore in the recent past – with allegations and counter-allegations flying back and forth between security researchers and the UIDAI.

Gemalto’s new version of the report carries an apology statement that goes as follows:

“Gemalto profusely regrets on its Breach Level Index Report 2018 and the subsequent press release issued in India on 15th October where it has by mistake taken into account an unverified news article about alleged Aadhaar data breach. Gemalto has updated its Breach Level Index Report 2018 and wants to make it clear that it was an error in the above said report which has been corrected and all concerned should take note of it that we have not been able to track any verified or substantiated data breach of Aadhaar database of UIDAI. As a result, Gemalto has withdrawn this alleged data from the Breach Level Index. Any inconvenience caused to UIDAI is deeply regretted.”

In defense of Aadhaar

This is not the first time UIDAI has been dragged through the muck regarding data breaches. Although credible sources have exposed vulnerabilities on a regular basis, the key lies in understanding what qualifies as an actual breach. 

...Following every incident, there's a huge uproar about UIDAI being breached and that it's in denial mode. However, the UIDAI denies any lapse because every vulnerability is presumed to be a breach, but it is not so
Sivarama Krishnan
Leader – Cybersecurity, PwC

A chat with Sivarama Krishnan, Leader – Cybersecurity at PwC helps us clear the air around what really constitutes a hack.
Krishnan believes that vulnerabilities exist in every system, from any part of the world. The question to be asked is "Can the vulnerability be exploited?" Every exploit, he says, is not necessarily a breach.

"Following every incident, there's a huge uproar about UIDAI being breached and that it's in denial mode. However, the UIDAI denies any lapse because every vulnerability is presumed to be a breach, but it is not so," he explains.

Other interesting takeaways from Gemalto’s breach report

Gemalto’s Breach Level Index Report also highlighted that malicious insiders caused the largest percentage of data breaches – accounting for almost 80 percent of stolen or compromised data. 

Identity theft continues to be the leading type of data breach and financial access incidents have indicated an increase in severity.