The security software company apologised to UIDAI and changed its estimates by a whopping 20%
In an unprecedented move, security software maker Gemalto withdrew its much-quoted bi-annual global Breach Level Index (BLI) report that it had released on 9th October and republished it on 22nd October with significant downward revision of its estimated number of records compromised globally in the first half of 2018.
Bulk of the difference between the two numbers—3.3 billion records in the revised estimates and 4.5 billion in the original estimated, a difference of more than 20%—is due to its retracted claim that close to 1 billion Aadhaar records in India were compromised in that period (first half of 2018).
An India-specific release dated 15th October based on its first version of estimates had explicitly mentioned about Aadhaar accounting for a billion breaches.
“During the first six months of 2018, almost 1 billion records were compromised in Aadhaar breach incident, including name, address and other personally identified information,” the original release had claimed.
Gemalto tendered an unqualified apology to India’s identity database authority, UIDAI for the statement.
“Gemalto profusely regrets on its Breach Level Index Report 2018 and the subsequent press release issued in India on 15th October where it has by mistake taken into account an unverified news article about alleged Aadhaar data breach. Gemalto has updated its Breach Level Index Report 2018 and wants to make it clear that it was an error in the above said report which has been corrected and all concerned should take note of it that we have not been able to track any verified or substantiated data breach of Aadhaar database of UIDAI. As a result, Gemalto has withdrawn this alleged data from the Breach Level Index. Any inconvenience caused to UIDAI is deeply regretted,” it said in a release issued in India on 22nd October.
Interestingly, three days before Gemalto releasing the clarification, the UIDAI had already released its own clarification by quoting the Gemalto apology.
Why the U-turn?
While it is not known what made Gemalto took a U-turn, staking its reputation built over years—by admitting that it based its report on an unverified ‘news article—the highly vocal social media too is silent on it.
Queries made to Gemalto by CSO Forum through its agency asking what made the company retract its earlier claims did not offer any new insight and just referred to the revised release.
While a section of analysts speculate that it could be because of government pressure, many question the tone of the first release by Gemalto. It mentioned about 1 billion data breaches in Aadhaar inside the release, without highlighting it.
“At 1 billion records, it is more than 20% of your estimated global data breaches, coming from one project. How can you be so casual about it, if it is indeed what you have found out,” asked a security consultant, who requested anonymity.
What is surprising is that Gemalto, in a positive article in its website about Aadhaar project, updated last in July 2018, had detailed out Gemalto’s role in Aadhaar.
In a section in the story titled “So where does Gemalto fit into this story?” the security solution maker had claimed that it contributed to two domains.
First was biometric enrolment solutions. “The roots of Gemalto's involvement in the Aadhaar project stretch right back to the very beginning. In the search for biometric enrolment solutions capable of capturing fingerprint and iris scans from over one billion people, the Indian authorities turned in particular to 3M Cogent– now a Gemalto company,” it said.
It has also mentioned that Gemalto was supplying its single-digit (one finger) optical fingerprint scanner to UIDAI.
“Another 2017 initiative by the UIDAI is set to promote even wider use of Gemalto technology within the Aadhaar scheme,” it said.
“Specifically, because the Unique Identification Numbers (UIDs) issued by the UIDAI contain Personally Identifiable Information (PII), the authority mandated that the private cryptographic keys used to digitally sign and authenticate UIDs must be stored on a Hardware Security Module (HSM). Furthermore, to prevent data falling into the wrong hands, their use was also made subject to strict conditions. This included the use of 'tokenization' – the process of replacing data with a digital token that can be safely stored, processed and transmitted without compromising the original information,” it illustrated
Claiming that Gemalto is recognized as a world leader in this field, it pointed to a greater involvement with Aadhaar.
So, the breach of Aadhaar data it claimed in its first BLI release, was in a way security failure of a project, it is closely associated with, even though the breach may not have been a failure of its own systems.
What prompted Gemalto to make such drastic statements, only to withdraw it in less than two weeks? After admitting that it had ‘by mistake’ included one billion compromised records based on news reports, it does point to a lack of rigorous validation. Will the next Breach Level Index carry the same level of credibility that it carried till six months back?