Gemalto ‘big’ apology came after UIDAI circular to suspend procurement of firm’s products

The global digital security giant provides the Aadhaar’s fingerprint scanner and iris scanner tools, as per its website.

New Delhi: Global digital security firm Gemalto’s very public apology, for an “inaccurate report” that claimed that almost one billion Aadhaar records had been breached in the first half of 2018, came 10 days after a UIDAI notice, issued on 17 October, which called for the suspension of Gemalto’s products in the Aadhaar project.

“It has been brought to the notice of this office that certain security issues have been discovered in existing Gemalto products. These issues need further evaluation for the potential risks pertaining to the use of Gemalto products in Aadhaar ecosystem,” the notice reads.  “Hence all ecosystem partners are hereby advised to suspend the future procurement of Gemalto products like HSM, biometric devices etc. till further notice”.

 Also Read: Lucknow medical institute server not secure, ripe for data theft, says expert

The notification came two days after Gemalto had put out a press release in India, on 15 October, alleging that Aadhaar data had been compromised, before immediately withdrawing it.  The claim had been made in the Breach Level Index report, which is a global database of public data breaches.

Firm’s products used in Aadhaar  

Gemalto is a global leader in providing digital security solutions for secure software, biometrics and encryption. It has customers in over 180 countries and its revenue in 2017 alone was 3 billion euros.

 According to the Gemalto’s website, the Aadhaar project’s fingerprint scanner and iris scanner tools are provided by the company. “In the search for biometric enrolment solution capable of capturing fingerprint and iris scans from over one billion people, the Indian authorities turned in particular to 3M Cogent – now a Gemalto company,” the firm says online.

The acronym ‘HSM’ as mentioned in this circular also appears on the Gemalto website and stands for Hardware Security Module (HSM).

Gemalto’s website suggests it is very important for this HSM to be secure, or it could make the Aadhaar data vulnerable.   “…because the Unique Identification Numbers (UIDs) issued by the UIDAI contain Personally Identifiable Information (PII), the authority mandated that the private cryptographic keys used to digitally sign and authenticate UIDs must be stored on a Hardware Security Module (HSM),” the website says.

ThePrint reached out to Gemalto and is awaiting a response.

A very public apology

While Gemalto immediately retracted its 15 October press release, the company’s CEO Philippe Vallee issued a public apology that was carried, as an half-page advertisement, in Indian newspapers on 27 October.

According to news reports, the company first put out a statement after retracting the press release, saying it had mistakenly “taken into account an unverified news article about alleged Aadhaar data breach”.

 Also Read: Behind official Kerala rescue website are 1,500 techies working for free

In his 27 October apology, Vallee further expressed deep regret for “releasing this unverified information in the report and for failing to conduct sufficient due diligence before publishing this information”.

“Through the publication of this report, Gemalto has caused prejudices in the minds of the general public at large against Aadhaar which we deeply regret,” the half-page apology read.  “We never intended to malign Aadhaar, India’s prestigious identity mission project, by unknowingly committing the mistake.”

He also said that the company would launch an internal investigation and take additional appropriate action internally. “Further, as an organisation providing cybersecurity space expertise and solutions, we have not been able to find any evidence of any Aadhaar data being breached. Any inconvenience caused to the people of India by our actions is deeply regretted”.