In a massive data breach, personally identifiable information of 81.5 crore Indians has been up on the dark web for sale, according to a report by US-based cybersecurity firm Resecurity. The stolen data includes Aadhaar and passport details, names, phone numbers, and both temporary and permanent addresses of crores of Indians.
As reported by Resecurity, on October 9, an individual using the pseudonym "pwn0001" made a post on Breach Forums, a darknet crime forum, where they offered access to a dataset containing 81.5 crore records with information related to "Indian Citizen Aadhaar and Passport." When Resecurity reached out to the hacker, they were open to selling the complete Aadhaar and Indian passport dataset for $80,000 (Rs 66,60,000).
Decode spoke to two cybersecurity experts who told us what this could mean.
What do we know about the data breach?
The data set offered by 'pwn0001' includes information such as, name, father's name, phone number, other number, passport number, Aadhar Number, age, gender, address, district, pin code and state.
The leaked data sample, currently available freely on Breach Forums, has the details of 1,00,000 people living in India. Resecurity claims to have checked some Aadhaar Card IDs from this piece and found they were real. They checked them on the government website using the 'Verify Aadhaar' feature.
In another breach, dated August 30, highlighted in the same report, a threat hacker with pseudonym 'Lucius', created a post on Breach Forums to promoting a 1.8 terabyte file that was leaked from an undisclosed "internal law enforcement organization" in India.
This data set, as per the report, contained "an even more extensive array of PII data than pwn0001's". It contained Voter IDs and driving license records of Indian citizens.
What is the source of the leak?
A News18 report has claimed that the Indian Council of Medical Research (ICMR)’s database was breached. The report also said that the Indian Computer Emergency Response Team (CERT-In) has informed ICMR of the breach and it has to verify it. However, an official confirmation from ICMR is yet to come.
Speaking to Decode, security researcher Srinivas Kodali alleged that this breach could have more than just one source. "Given the huge number, we can think of a few databases with this scale of data sets. We can rule out electoral data as the leaked data also has details of minors, including 10-year-old's. Even for Covid vaccination, children below 12 were not vaccinated," he said.
According to Kodali, it could be Aadhaar database, birth and death registration database or passport database. "I am unable to pinpoint any one but it looks like data was a collation of different sets," he said.
Cybersecurity expert Ritesh Bhatia told Decode that there are ways, like locking biometrics, by which we can safeguard our sensitive information against leak, as now almost every dataset system is linked to biometrics via Aadhaar. "However, whatever damage was supposed to be done, has been done as our data is too vulnerable now."
Private data is no more private
According to Kodali, our system has been created in such a way that now everything is based on Aadhaar as a backbone. "What is scary that it is not very difficult to get hold of somebody else's Aadhaar details, given such massive leaks."
As Aadhaar is being linked to every system, starting from banks to now property registration, these systems will too inherit Aadhaar-related issues. "Now in many states of India, land digitisation is being carried out, where Aadhaar details are being used and the same problems are arising in property registration," he said.
The more we share our Aadhaar data, the more it is being traded and will be used by bad actors, he added.
Bhatia also pointed out, "The Aadhaar-related scams have become so common as now fingerprints are being stolen from government websites. With the recent AePS scams, scammer don't even require OTPs to pull them off."
Given the rise in AePS scams, last month, Sourajeet Majumdar, an independent security researcher, helped Decode in unfolding the modus operandi of one such scam in West Bengal. In this case, scammers were stealing fingerprints from digital copies of land deeds found on the official government website, and using it to attack biometric ATMs for draining users’ bank accounts.
The scammers were exploiting a technical vulnerability of the website which allowed them to download the deed copies in bulk.
Recently, Moody's Investors Service, a prominent global rating agency, also raised significant concerns regarding India's Aadhaar system, casting doubt on the dependability of biometric technologies.
Emphasising that ID systems like Aadhaar result in the centralisation of sensitive data within specific organisations and heighten the potential for data breaches, Moody's report advocated for decentralised identity (DID) systems like digital wallets, which leverage blockchain technology to grant users greater control over their personal information and mitigate online fraud risks.