AADHAAR, India’s project to issue every resident a unique, biometrically verifiable identification number, is big, bold and in many ways brilliant. Aadhaar IDs provide a quick, easy and theoretically foolproof way for civil servants and firms to know for sure with whom they are dealing. Officials say the scheme allows better targeting of welfare. Businesses love how easy it makes checking credit histories and vetting job applicants, among other things.

An Aadhaar card allowed your correspondent to apply for and walk away with a driver’s licence in under half an hour. It provides proof of address and other data that in other countries—and in pre-Aadhaar India—would require a stack of documents. But civil libertarians have long worried that the government or, worse, crooks who gain access to the data will put Aadhaar to nefarious use. Some 200 government entities have been shamed for publishing private Aadhaar data, and more than one private firm with licensed access to Aadhaar data has been caught using it for purposes other than those agreed. Now proof has emerged that the whole database is not as watertight as claimed.

Earlier this month the Tribune, an English-language daily, revealed that for $8 or so a reporter had bought illegal access to the entire Aadhaar database, barring cardholders’ fingerprints and iris scans. For just $5 more she was able to print out ID cards with any Aadhaar number. The Unique Identification Authority of India (UIDAI), which runs Aadhaar, compounded the embarrassment by filing a police report against the reporter and her paper.

The ensuing outcry made headlines, and UIDAI quickly changed its tune, underlining its commitment to press freedom and to finding the real culprits. On January 10th it quietly added more layers of security. When fully applied in June, UIDAI’s new system will allow cardholders to hide their actual 12-digit Aadhaar number behind a changeable virtual ID code. It will also be far more selective about who has access to what level of data.

The changes may have come just in time. The scandal in the press, experts say, revealed only one of Aadhaar’s weaknesses, which UIDAI had already tried to fix. The breach exploited by the Tribune was through one of tens of thousands of private Aadhaar registration providers who had been licensed to process ID applications—an understandable expedient given the huge number of applicants. In a tacit admission of concern, UIDAI has revoked many of these private licences, but apparently forgot also to revoke the former licence-holders’ access to its database.

Ananth Padmanabhan, a researcher at the Carnegie Endowment for International Peace, a think-tank, describes the decision to recruit so many private agents as a recipe for trouble, but points out wider problems. One is what he calls “overseeding”: Aadhaar is now linked to more than 150 other databases, including less secure and more detailed data on residents stored by several Indian states. Some of these state troves, disturbingly, include information on religious affiliation and use mobile-phone data to track citizens’ movements. Another design flaw is in the structure of UIDAI. “It is a very strange beast,” says Mr Padmanabhan, “They made the custodian of data the regulator. Those duties should be separated.”

Until now, successive governments, dazzled by India’s heroic vault into the digital age, have blithely shrugged off concerns about Aadhaar. The current one, under Narendra Modi, the prime minister, has instead tried to cajole all Indians to join, even though participation in Aadhaar is supposed to be voluntary, by making an Aadhaar ID a requirement for a growing number of public and private services, including school lunches, pensions, tax registration, bank accounts and mobile phones. No wonder that more than nine in ten Indians—1.19bn people—have signed up so far.

Nikhil Pahwa, a digital-rights activist, reckons that Aadhaar was misconceived from the outset. The government put too much faith in the system’s designers, and was in too much of a hurry to get Aadhaar up and running. “So what we get is a public repository of private data being handed over to private enterprise,” he says. “When they say, ‘Big data is the new oil,’ I answer, ‘But my data is not your resource.’”