Biggest Data Breach of 81.5 Crore Indians’ Aadhaar & Passport Info on Sale on Dark Web: Report
The Indian government has neither confirmed nor denied a report by the American cyber security and intelligence agency, Resecurity, which raised an alarm about a data leak concerning the Aadhaar and passport details of over 81 crore Indians. Here’s a detailed breakdown of the situation:
1. The Breach Details:
On October 9, 2023, Resecurity, a U.S.-based cyber security company, reported that an individual using the pseudonym ‘pwn0001’ announced that they were offering access to 815 million (81.5 crore) records of “Indian Citizen Aadhaar & Passport”. This number is staggering, especially when you consider that India’s total population is slightly over 1.486 billion people.
2. The Sale Price:
The threat actor was reportedly willing to sell the entire dataset of Aadhaar and Indian passport details for a sum of $80,000. However, the exact method through which this data found its way to the dark web remains unclear.
3. What Does the Data Include?
The leaked data encompasses various details of Indian citizens, such as their names, fathers’ names, phone numbers, passport numbers, Aadhaar numbers, ages, genders, addresses, and pincodes. As a form of validation, ‘pwn0001’ shared spreadsheets containing sample Aadhaar data. One of these samples had 100,000 records of personal identifiable information (PII) related to Indian residents.
4. Another Threat Actor:
On August 30, 2023, another individual, identified as ‘Lucius’, promoted a 1.8 terabyte data leak. This leak reportedly contained a database from India’s internal law enforcement organization, including names, phone numbers, addresses, national ID numbers, and names of relatives. This dataset was even more comprehensive than the one offered by ‘pwn0001’, as it also included Voter IDs and driving license records.
5. The Implications:
Such a vast exposure of Indian PII data on the dark web poses a significant threat of digital identity theft. Cybercriminals could exploit this data for various malicious activities, including online banking theft and e-tax refund frauds.
6. Previous Cyberattacks:
India has witnessed an uptick in cyberattacks targeting government platforms. For instance, in August, the government’s Parivahan website suffered a data breach, and in June, Aadhaar or passport numbers of COVID-vaccinated individuals were being sold on Telegram.
7. Aadhaar’s Significance:
With approximately 1.4 billion Aadhaars issued by UIDAI since its inception in 2009, the Aadhaar system is one of the world’s largest biometric ID programs. It serves multiple purposes, from facilitating electronic payments to enabling e-tax filing and more. As of February 2023, 60% of India’s eligible voters had linked their Aadhaar cards to their voter IDs.
8. Measures for Data Protection:
To safeguard the data of Indian citizens and ensure its lawful use, the Rajya Sabha passed the Digital Personal Data Protection Bill in August 2023. This legislation aims to protect citizens’ rights to their personal information and will apply to digital personal data collected both online and offline.
This incident underscores the importance of robust cybersecurity measures and the need for individuals to be vigilant about their personal data.
