Officials of State Bank of India (SBI) have alleged that data of the Unique Identification Authority of India (UIDAI) has been misused.
Logins and biometrics of their Aadhaar operators have been misused to generate unauthorised Aadhaar cards, bank officials informed UIDAI. Countering the charge, UIDAI said, “Aadhaar database is fully secured and no security breach, biometric or otherwise, has taken place.”
SBI, like other banks, was given an Aadhaar enrolment target for which it selected vendors — FIA Technology Services Pvt Ltd and Sanjivini Consultants Pvt Ltd — in the Chandigarh region which covers Haryana, Punjab, Himachal, J&K and the UT of Chandigarh itself. However, of close to 250 operators employed with these agencies, nearly half were penalised in the last two months and were either deactivated or blacklisted. This brought SBI’s Aadhaar enrolments to a halt at many branches, causing the bank to fail to meet targets and face penalties.
One of those penalised was 40-year-old Vikram, who worked for a monthly salary of Rs10,000 as an Aadhaar operator at the SBI branch in a small village called Uchana in Haryana’s Jind district. On December 26, 2018, UIDAI fined him more than Rs33 lakh.
According to UIDAI, Vikram had used his operator ID to generate Aadhaar cards using fraudulent documents between November 9 and November 17, 2018. It was done using “multiple station IDs” in Vikram’s name, which allowed Aadhaar cards to be made from multiple devices — 143, to be precise. Every device, like a laptop, desktop or tablet, used for Aadhaar enrolment is registered with UIDAI and identified by the “station ID”.
SBI officials pointed out that as “registrar” (as all banks entrusted with Aadhaar enrolment are), only they could have approved multiple station IDs but they had not done so. The bank’s officials in Chandigarh wrote to their corporate office in Mumbai to raise the issue with UIDAI, saying they did not create these multiple station IDs and there must have been lacunae in UIDAI’s security system that allowed “someone to hack the system and generate multiple station IDs” in Vikram’s name.
Even more baffling was the misuse of Vikram’s personal biometrics (fingerprints in this case) to generate Aadhaar cards, carry out unexplained transactions at places like the I-T department, Maharashtra government, MP government, National Informatics Centre and various banks, and even withdraw money from his personal accounts. All this time, UIDAI did not act against any bank official, which would have been the case had there been a lapse or wrongdoing by SBI officials.
SBI deputy general manager B Rajendra Kumar confirmed that he was aware of the “misuse of the biometrics” of Vikram and problems facing their sub-vendors. “We have, through our corporate office in Mumbai, raised this issue with UIDAI. The authority should be more transparent with us and let us know how this is happening. They should also guide us on the issue and, above all, make their database more secure,” he told mediapersons.
An internal inquiry by the bank, and also the agency (vendor), cleared Vikram of the charges levelled by UIDAI, and SBI has already requested the authority to remove the penalty and allow him to return to work. Seeking UIDAI’s response, a mediaperson wrote a mail to its chief executive officer (CEO) and media in-charge on January 4, 2019. In its reply, sent January 18, UIDAI refused to share the details of the case but admitted that an inquiry was on.
Meanwhile, almost all the operators, except Vikram, were cleared by UIDAI and allowed to return to work. On January 9, the authority finally introduced an additional step in the registration of Aadhaar operators as an extra security measure.
“Also, some unscrupulous elements have been attempting to register multiple machines but UIDAI has an inherent system in place to detect any such attempt and appropriate action is taken on a daily basis on operators who err. UIDAI imposes financial disincentives and blacklists errant operators. However, it relooks into the issue if someone is wrongly penalised. It would be pertinent to mention here that divulging details of any specific case under inquiry would not be appropriate in the case,” UIDAI told mediapersons when specifically asked about Vikram’s case.