In this May 16, 2012 file photo, an operator helps an elderly woman scan her fingerprints as she enrolls for Aadhar, India's unique identification project in Kolkata, India. The country's leading English-language daily, The Tribune, published an article exposing a possible vulnerability in the system. (AP/Bikas Das)
In this May 16, 2012 file photo, an operator helps an elderly woman scan her fingerprints as she enrolls for Aadhar, India's unique identification project in Kolkata, India. The country's leading English-language daily, The Tribune, published an article exposing a possible vulnerability in the system. (AP/Bikas Das)
Alerts

Police file complaint against journalist and newspaper following data breach exposé

New Delhi, January 9, 2018–Indian authorities on January 5 filed a criminal complaint against the English-language daily The Tribune and its reporter Rachna Khaira, a day after the paper published Khaira’s report exposing a possible vulnerability in the country’s vast national identity system, according to news reports.

For the article, The Tribune said it paid hackers 500 Indian Rupees (US$8) to buy access to the Aadhar national identity database, which contains personal information of approximately a billion people, and an additional 300 Indian Rupees (US$4.70) for software that would allow the newspaper to receive an identity card for any individual in the system.

According to the Indian Express, the complaint was lodged under sections 419 (cheating by impersonation), 420 (cheating), 468 (forgery) and 471 (using a forged document) of the Indian penal code, section 66 of the IT act (damaging computer systems), and section 36/ 37 of the Aadhaar Act (unauthorized collection and dissemination of information).

Section 419 of the penal code, section 66 of the IT Act, and section 36/ 37 of the Aadhar act all carry three year prison terms. Sections 420, 468, and 471 each carry seven year terms.

“Rachna Khaira and The Tribune have done a public service in exposing the security vulnerabilities of India’s national identification database,” said Steven Butler, CPJ’s Asia program coordinator from Washington, D.C. “CPJ urges authorities to take this into account as they consider how to proceed.”

A spokesperson for the Unique Identification Authority of India (UIDAI) that runs the Aadhar system, Vikas Shukla, did not respond to CPJ’s request for comment.

In a January 7 press release, the UIDAI refuted the Tribune report, calling it “incorrect and misleading.”

Harish Khare, editor-in-chief of The Tribune, told CPJ the paper stands by its story.

Indian authorities also filed complaints against three men– Anil Kumar, Sunil Kumar, and a man identified as Raj– who Khaira mentions in her report as having helped The Tribune hack into the Aadhar system, according to The Indian Express.

Alok Kumar, joint commissioner of Delhi Police’s cybercrime unit, did not respond to CPJ’s calls seeking comment.

In a statement on January 7, the Editor’s Guild of India called the complaint against The Tribune and Khaira “an attack on the free press,” as published by The Hindu newspaper. “Instead of penalizing the reporter, UIDAI should have ordered a thorough internal investigation into the alleged breach and made its findings public,” the statement said.

More On:
Alerts
Asia
India
More On:
Aadhar
Cybercrime
Forgery
Rachna Khaira
The Tribune