Cyber Incident Victim: Telecom Regulatory Authority of India
Date:
Jul 2018
Location:
India
Summary
The Telecom Regulatory Authority of India (TRAI) chairman publicly shared his Aadhaar number on social media, challenging critics to demonstrate security risks, which led to the exposure of his personal information by a French security researcher. Using the Twitter handle @fs0c131y, the researcher revealed details including the chairman's address, date of birth, mobile numbers, PAN card number, and WhatsApp profile picture, illustrating vulnerabilities associated with making the biometric identifier public. The incident occurred amid ongoing debates about Aadhaar's privacy safeguards, with the chairman maintaining that the system had not experienced breaches and was essential for welfare program subsidies. The researcher emphasized the risks of publicly disclosing such data while sharing redacted screenshots of the leaked information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 4 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On July 28, 2018, Telecom Regulatory Authority of India (TRAI) Chairman R S Sharma publicly tweeted his 12-digit Aadhaar number (7621 7768 2740) alongside a challenge asking critics to demonstrate concrete harm that could result from its disclosure. Sharma, a vocal advocate of India’s biometric identification system, framed this action as a defense of Aadhaar’s security amid ongoing privacy debates. Within hours, French security researcher Elliot Alderson (Twitter handle @fs0c131y) responded by disclosing Sharma’s personal information linked to the Aadhaar number, including his residential address, date of birth, mobile number (9958587977), PAN card number, and WhatsApp profile picture. Alderson cited an official Ministry of Electronics and Information Technology (MeitY) circular to identify the mobile number as belonging to Sharma’s secretary and shared a partially redacted family photo. The researcher emphasized the risks of exposing Aadhaar data, stating the leak demonstrated how publicly available Aadhaar numbers could facilitate unauthorized access to sensitive personal details.
The incident intensified scrutiny of Aadhaar’s security framework, which Sharma had consistently defended by asserting no breaches had compromised the central database. Critics argued the disclosure validated concerns about the system’s vulnerability to misuse, particularly through aggregation of publicly available data linked to Aadhaar identifiers. Sharma maintained his position, stating the leak did not originate from UIDAI systems but instead relied on external sources, though he did not specify mitigation steps. His tenure as TRAI chairman concluded 12 days later on August 9, 2018. The event underscored tensions between governmental assurances of Aadhaar’s infallibility and independent demonstrations of its potential exploitability using open-source intelligence methods. No formal institutional response to the leak was detailed in available reports beyond Sharma’s public statements reaffirming Aadhaar’s design integrity.