NEW DELHI, Oct 31: In what could be described as a serious data breach, personally identifiable information of 815 million Indians has been put up on the dark web for sale, according to a report by US-based cybersecurity firm Resecurity.
Details such as Aadhaar Card numbers and passport information along with names, phone numbers and addresses were available for sale online, it has said.
Some media reports suggested that the Indian Council of Medical Research (ICMR) database might have been compromised, given the extensive scope and sensitive nature of the information. Queries sent to ICMR by different news channels and newspersons did not get any answers.
“Securing assets is of importance for businesses in today’s world. The recent incident where the personal information of 815 million Indians was exposed in a data leak highlights the need for companies to take adequate measures,” Business Standard quoted Sanjay Kaushik, managing director of Netrika Consulting as saying.
According to the Resecurity website, on October 9 an individual using the alias “pwn0001” shared a post on BreachForums (a darknet crime forum) offering access to 815 million records containing information on “Indian Citizen Aadhaar and Passport”.
The hacker was willing to sell the entire Aadhaar and Indian passport dataset for $80,000 when contacted by Resecurity, various newspaper and website reports said.
In August this year, another threat actor known as “Lucius” posted a thread on BreachForums offering to sell a 1.8 terabyte data leak related to an unnamed “Indian internal law enforcement organisation”.
In April 2022, the Comptroller and Auditor General conducted an investigation into the Unique Identification Authority of India (UIDAI) and discovered that the authority had not effectively regulated its client vendors and safeguarded the security of their data vaults, as stated in a Brookings report.
Since its inception in 2009, UIDAI has issued approximately 1.4 billion Aadhaar cards. A report from the Brookings Institution in 2022 highlighted that the ID system ranked among the world’s largest biometric identification initiatives.
“Adopting measures like encryption, multifactor authentication and access controls are vital to protect data. Regular security audits and updates are also components of a cybersecurity strategy that can adapt to emerging threats effectively,” Kaushik was quoted by Business Standard in its report.
The exposure and leakage of data of personally identifiable information on the dark web, which includes Aadhaar and other personal details of Indian citizens, poses a substantial threat of digital identity theft. Malicious actors use pilfered identity data to engage in activities such as online banking fraud, tax refund scams and various cyber financial crimes across the world.
In fact, some of the cases of this nature have surfaced in different parts of India where the cybercriminals transferred money from the accounts of the some people to their bank accounts and disappeared in thin air. Some cases have been detected by the cyber cells of the law enforcement agencies in some states of India.
