The Indian Express has reported that a Unique Identification Authority of India (UIDAI) deputy director has filed an FIR against Tribune reporter Rachna Khaira, who had reported on the sale of administrator usernames and passwords to websites having full access to the Aadhaar database for Rs 500 last week.

The UIDAI had responded to the Tribune report saying that there had been no data breach of Aadhaar, though buying access to a database with nearly full Aadhaar holders’ details is arguably as bad.

And one does wonder how long (or if) the alleged sale of Aadhaar information would have stayed hidden, if the Tribune had not reported on it.

The Express reported that the FIR - under IPC Sections 419 (punishment for cheating by impersonation), 420 (cheating), 468 (forgery) and 471 (using as genuine a forged document), as well Section 66 of the IT Act and Section 36/37 of the Aadhaar Act - was also filed against other persons who were named in the Tribune report as involved in allegedly selling Aadhaar detail access.

The security hole, as pointed out by The Quint, appears to have been caused by allowing anyone with an administrator account on a Rajasthan government's website that had full Aadhaar database access, to also create an administrator account in turn, allegedly resulting in a booming trade for backdoor Aadhaar access to service providers that offered the printing of Aadhaar cards for holders.

Whether that hole has been plugged or even acknowledged is not clear, and shooting the messenger with an FIR seems like a recipe not for making Aadhaar more secure but to continue encouraging security by obscurity, which for a project of this size, can only be a terrible idea.