–An Article by Poojan Patel
Biggest Ever Data Breach: 81 Crore Indians at Risk, American cybersecurity and intelligence agency Resecurity has issued a grave alert regarding an alleged data breach involving the personal information of more than 81 crore Indians. The breach reportedly includes sensitive data such as Aadhaar and passport details, along with names, phone numbers, and addresses. The compromised information is said to be associated with the Indian Council of Medical Research (ICMR).
The ICMR has been under a series of cyber-attacks since February, culminating in this recent alleged breach. According to reports, a ‘threat actor’ going by the handle ‘pwn0001’ has claimed responsibility for the breach, advertising the stolen database for sale on the dark web. Shockingly, the data is said to include details related to COVID-19 tests, sourced directly from the ICMR.
Resecurity’s alert, published in early October, highlighted a disturbing trend of Indian citizens’ personal data being traded on the dark web. The threat actor ‘pwn0001’ has allegedly put up nearly 815 million Aadhaar records for sale at a staggering price of $80,000. The sample dataset shared by the actor contains personal information, including names, ages, phone numbers, Aadhaar numbers, and addresses, even encompassing children as young as 10.
It remains unclear how this colossal breach occurred or from which database the records were stolen. Previous incidents, such as the CoWIN vaccination portal’s data leak, have already raised concerns about the vulnerability of large databases containing Indians’ personal information. The absence of a robust legal framework, like the yet-to-be-notified Digital Personal Data Protection Act, 2023, compounds the challenges in dealing with such breaches.
The ICMR has reportedly been informed about the breach, but the exact origin of the leak is yet to be identified. A thread on Breach Forums, posted by ‘pwn0001,’ serves as a chilling testament to the severity of the situation, exposing the inadequacies in safeguarding sensitive citizen data.
Resecurity’s findings also point to another threat actor, ‘Lucius,’ who has purportedly offered Indian law enforcement data for sale, claiming that 85% of Indians’ personal data is available in this dataset. The sample dataset shared by ‘Lucius’ includes KYC data of mobile connections, heightening concerns about the extent of compromised information.
As Indians grapple with the aftermath of this alarming data breach, questions loom over the security measures in place and the efficiency of organizations responsible for safeguarding citizen data. The lack of urgency from government bodies, including UIDAI, RBI, CERT-In, and the information technology ministry, is concerning, especially in the absence of concrete steps to mitigate the risks.
The scale of this breach and the potential consequences, including identity theft, online banking fraud, and other financial crimes, underscore the urgent need for a comprehensive cybersecurity strategy. With Cybersecurity Awareness Month underway, the onus is on authorities to provide tangible solutions rather than adhering to a “security-through-obscurity” model.
The implementation of the Digital Personal Data Protection Act, 2023, holds promise in addressing some of these issues, but unless exemptions are reconsidered, the threat to government networks will persist. As the nation grapples with the fallout of yet another data breach, the spotlight is on authorities to prioritize citizen privacy and take substantive actions to ensure a secure digital landscape for all Indians.