In a jaw-dropping revelation, India is grappling with what’s being called its most massive data breach ever. India is at risk of financial scams and digital identity theft due to a Web Data Leak. The personal information of a mind-boggling 81.5 crore citizens is now up for grabs on the dark web. The report, made public by the American cybersecurity firm Resecurity Hunter, underscores the urgent need for bolstered data security measures.
Web Data Leak Leaves India at Risk
In discussions with CNBC TV18, Resecurity sounded the alarm about the massive leak of Personally Identifiable Information (PII) data of Indian citizens on the dark web. That poses a grave risk of digital identity theft. The release of this data into the wrong hands could potentially fuel a range of financially motivated scams targeting India.
- Advertisement -
Adding to the gravity of the situation, the ‘bad actor’ behind this leak indicated, in a subsequent post, that the data had its origins in a government system. There’s also a chance that a third party engaged in data collection for Know Your Customer (KYC) reasons may have compromised the information.
Resecurity’s warning traces back to an alarming blog post issued on October 15. There, it came to light that an unidentified ‘threat actor,’ operating under the alias ‘pwn0001,’ had advertised the sale of a staggering 81.5 crore “Indian Citizen Aadhaar and Passport” records on Breach Forums. This shocking offer, posted on October 9, came with a hefty price tag of $80,000 for the entire dataset.
This was the ‘threat actor’s’ claim that this data was extracted from COVID-19 test records of Indian citizens. It has come from the Indian Council of Medical Research (ICMR). There is an obvious shockwave in the cybersecurity and intelligence communities. It is notable that since February, ICMR has already been the victim of many attempts at cyberattacks. Over 6,000 incidents were reported just last year! Central agencies and the council had been acutely aware of these threats. They had urged ICMR to take corrective measures to safeguard the data.
Despite persistent efforts to reach out, News18 had not received any response from the Director-General of ICMR as of October 28. Necessitating further investigation and clarifications.
Foreign Involvement and Official Responses
The breach has raised concerns about potential foreign involvement. High-ranking officials from various agencies and ministries are already addressing the situation. Corrective measures are currently in motion, and a Standard Operating Procedure (SoP) has been enacted to mitigate the damage.
The threat actor’s dataset was highlighted in the Resecurity study. It contained a wide range of personally identifiable information (PII) records. This encompassed sensitive details such as names, father’s names, phone numbers, passport numbers, Aadhaar numbers, ages, genders, addresses, districts, pincodes, and states.
The Source Remains Hidden
Significantly, pwn0001 chose not to disclose the source of this data. Leaving the cause of the breach a subject of speculation.
Resecurity went on to emphasize that pwn0001 had shared spreadsheets containing four large leak samples. Each contains fragments of Aadhaar data as proof. One of the leaked samples held 100,000 records of PII pertaining to Indian residents. In this particular sample, HUNTER analysts verified valid Aadhaar Card IDs through a government portal. It offered a “Verify Aadhaar” feature, which allows the validation of Aadhaar credentials.
Additionally, Resecurity brought to light another threat actor known by the alias ‘Lucius,’ who posted a thread on Breach Forums on August 30. Lucius was promoting a 1.8 terabyte data leak that affected an undisclosed “India internal law enforcement organization.” The report suggested that the data set in Lucius’s leak contained an even wider array of PII data, beyond just Aadhaar IDs, extending to Voter IDs and driving license records.
Resecurity speculated that the threat actor using the alias ‘Lucius’ may be referencing law enforcement as a diversion tactic to mask the actual intrusion vector that enabled them to acquire the data. Alternatively, this move could be aimed at generating hype around the data offering.
Importance of Data Protection Laws
In conclusion, the breach scenario mentioned in the Resecurity report raised concerns related to the “PREPAID” signature identified in several records. This signature could be linked to a leak from a telecommunications carrier that provides prepaid SIM cards and similar services. Often utilizing such information for KYC (Know Your Customer) verification purposes.
These services entail the collection of PII data to validate customers prior to the activation of mobile services. While Resecurity refrained from speculating on how this vast trove of personal data found its way onto the dark web, it’s clear that this is yet another significant data breach. That will expose the vulnerabilities in India’s data security landscape. In light of this breach, the importance of robust data protection laws and practices becomes all the more apparent. Particularly as the Digital Personal Data Protection Act, 2023, awaits notification after its passage in Parliament and receiving the President’s assent in August.