An Ola Employee Has Been Arrested For Building An App That Illegally Accessed Aadhar Data

An Ola employee has been arrested by the Bangalore police for illegally accessing and exposing confidential Aadhar data.

Abhinav Srivastav, who worked for Ola in its head office in Koramangla, had created an app called “Aadhar e-KYC” in January this year. Srivastav, 31, was allegedly illegally accessing Aadhar-related information hosted on National Informatics Centre server, and was using it to support the app. The police say the app was exposing citizens’ private data to the public.

pjimage (3)

“Aadhaar related information, legally housed by the National Informatics Centre server, was illegally and without authorisation accessed and used to support this mobile application,” said the police statement. 

The police investigation revealed that Srivastav piggybacked on the infrastructure of another app, called e-hospital, for hacking the Aadhar data base. The ‘e-hospital’ platform is one of the 400 odd  entities that have been authorised to access  Aadhar data for authentication. Srivastav used this server to route his app requests for data access, and managed to steal the data, the police said.

His app has now been taken down, but it reportedly had over 50,000 downloads. It is unclear what Srivastav’s motives behind developing the app were, but Bangalore Police said that he’d made Rs. 40,000 from advertisements that were displayed on it. Srivastav was apparently a prolific app developer, and the police are scanning his other apps to see if they violated any guidelines.

Srivastav had a background in the field — his LinkedIn profile lists his area of expertise as Computer and Network Security. He had graduated from IIT Kharagpur with an M.Sc. in Industrial Chemistry in 2010. He’d then worked as a security researcher, before founding a company called Qarth Technologies in 2012. Qarth Technologies was acquired by Ola in 2016. Ola denied any knowledge of the app, adding it had not been contacted by any law enforcement officials.

UIDAI had discovered the app and had filed a complaint on 27th July. Based on the complaint, Bangalore’s cyber crime police sprung into action and formed six special teams. Srivastav reportedly tried to go underground, but was arrested in Koramangla on 1st August.

The episode is expected to provide further ammunition to a small but vocal online community that’s been voicing its concerns over the safety of Aadhar. While most agree with the Aadhar’s program’s benefits, there have been misgivings about how safe the data is, and how vulnerable it is to misuse. While the UIDAI eventually managed to track down an offender and put them behind bars, the fact that the app remained live for nearly six months could give some of its proponents cause for concern.