Indian officials in charge of a controversial biometric identity scheme have filed a police complaint after a report that citizens' personal details were being sold for as little as 500 rupees ($7.8;£5.8) online.
The Unique Identification Authority of India (UIDAI) wants a probe into "unauthorised access" to its database.
But it said biometric data was safe.
The Tribune newspaper claimed that it bought user details via an "agent" advertising his services on WhatsApp.
The report is the latest revelation against the UIDAI biometric system known as Aadhaar, which means foundation.
It said that once it paid the "agent", its reporters were given a username and password that allowed them to enter any Aadhaar number into the UIDAI website and get access to user information including name, address, photo, phone number and email address.
The report added that payment of a further 300 rupees provided "software" that allowed them to print out any Aadhaar card for which they had the number.
The UIDAI says the breach seems to be a misuse of a grievance redressal scheme that allowed Aadhaar agents to rectify issues like a change in address and wrong spelling of a person's name.
However, it added that the scheme did not grant access to people's biometric details.
The revelations in the report made headlines in India, with many on social media expressing concern over the security of their personal data.
There’s far too much evidence of the dangers of Aadhar by now, from starvation deaths to breach of privacy. Supreme Court should immediately suspend all use of Aadhar. https://t.co/ZMFIgcrRi8— Shivam Vij (@DilliDurAst) January 4, 2018
Aadhaar started out as a voluntary programme to help tackle benefit fraud, but recently it has been made mandatory for access to welfare schemes.
Critics have repeatedly warned that the scheme puts personal information at risk" and have criticised government efforts to compulsorily link it to bank accounts and mobile phone numbers.
The government has always insisted that the biometric data is "safe and secure in encrypted form", and anybody found guilty of leaking data can be jailed and fined.
A case challenging its mandatory linking to schemes and bank accounts is pending before the country's Supreme Court.