Recently, I got surprised, rather shocked, when I heard that the Adhar data of 81.5 crore Indians were put out for sale on the dark web. It was very hard to believe this news, but it was confirmed (by various authentic news sources) that it is not a rumour.
We, Indians, do not value data as much as Americans do. This is why we do not hear our media groups talking about this serious issue when it came to light. In developed countries like the US, GB, Canada, etc., data breaches are not taken for granted. Instead, people flok to courts of law to register cases agaist the concerned authorities responsible for the data breaches.
However, due to lack of much knowledge and less effective measures taken by the officials, we cannot do much in cases where data of millions of Indians is exposed and put on sale. This situation needs to improve to maintain data privacy and security as promised to the data owners. The concerned authorities must be kept anserable for ther incapability to prevent such incidents from happening.
Let’s get into details about the Aadhar data breach that came to light in late October 2023.
US-based cybersecurity firm Resecurity has reported a potential massive data breach in Indian history. It appears that the personal information of more than 815 million Indian citizens is being offered for sale on the dark web. The compromised data includes sensitive details like Aadhaar and passport information, as well as individuals’ names, phone numbers, and addresses, according to Resecurity’s findings.
This information was originally sourced from the Indian Council of Medical Research’s (ICMR) database.
Resecurity’s discovery of the data breach revealed that on October 9, an individual using the pseudonym ‘pwn0001’ posted a message on Breach Forums, offering access to a vast database of 815 million records labeled as ‘Indian Citizen Aadhaar and Passport’ information.
Additionally, cybersecurity analysts identified one of the leaked samples, which contained 100,000 records of personally identifiable information (PII) associated with Indian residents.
Within this leaked sample, the analysts verified the authenticity of Aadhaar Card IDs by cross-referencing them through a government portal that offers a “Verify Aadhaar” functionality. This verification has concluded that indeed the data breach is real, not a rumour.
The analysts successfully established contact with the threat actor and discovered that they were open to selling the complete dataset containing Aadhaar and Indian passport records for $80,000 (equivalent to over Rs 66 lakh).
However, the threat actor refused to disclose the method by which they acquired the data. The data which is available for sale on the dark web includes the personal details like
- Name
- Fathers Name
- Phone Number
- Other Number
- Aadhar Number
- Age
- Gender
- Address
- District
- Pincode
- State
According to Resecurity, the hacker ‘pwn0001’ presented several spreadsheets that contained fragments of Aadhaar data as evidence. Within one of these data fragments, information for 100,000 individuals residing in India was included. The security team asserted that they verified the authenticity of some Aadhaar Card IDs from this data fragment by cross-referencing them on a government website designed for verifying the validity of Aadhaar details.
This incident is not alone. There are a number of cyber incidents that occured recently. One of such incidents includes comprmising the official website of Ministry of AYUSH in Jharkhand recently. This data breach has resulted in exposing data records of over 3.2 lakh patients. Upon investigation, a person named “Tanaka” was identifed as the mastermind for this security incident.
Such incidents have shook our faith in the system. And this also highlights the inefficiency of the system in handling massive, sensitive data of citizens. The Central Bureau of Investigation (CBI) is anticipated to initiate an investigation into the incident once the ICMR files an official complaint.
Coming to data breaches, there are several other incidents where citizens can avoid them by taking certain security measures. These measures can be applied on all their personal, sensitive data they store on their devices or share online. To avoid data breaches at personal level, we all need to be vigilant and exercise caution while keeping ourselves updated with advanced cyberattack techniques used by cybercriminals.
Do comment what you think about this and share the article with others to increase cyberawareness.
