Right from its inception, the Aadhaar project has been and continues to be questioned as it violates privacy and data security issues. The issue has taken the centrestage like never before after an expose by a journalist. Though UIDAI has denied any such breach, its defence has been at best ambiguous. The core of Aadhaar is Central Identities Database Repository (CIDR) may be strong by design. However, its support systems, processes, and wider ecosystems are exposed with open access to any government authorised or private entities.
Some crucial lacunae in the identification and authentication processes of Aadhaar have been pointed out by Center for Internet and Society. Some possible ways of breach are correlation of identities across domains, identification without consent using Aadhaar data, and illegal tracking of individuals. The possibility of insider attacks could be the most dangerous threat to the Aadhaar ecosystem. It could also come under attack if the attacker can collude with an insider with access to various components of the Aadhaar system - something akin to the recent breach aided by the involvement of an insider. Though an FIR has been filed with the police, there is no information UIDAI taking any action against either government or private employees. According to various studies on Aadhaar ecosystem, there are no safeguards or guidelines - either technical or legal - on how the Aadhaar number should be maintained and how it should be used by Authentication User Agencies (AUA) in a cryptographically secure way, and how to prevent the Aadhaar number of an individual from becoming public.