Biggest data breach? 81 cr Indians’ Aadhaar & passport info on sale on dark web: Report

The Centre has neither refuted nor acknowledged a report by an American cyber security and intelligence agency, Resecurity's alert that flagged data leak pertaining to Aadhaar and passport information of over 81 crore Indians.

According to a report by Resecurity, a U.S.-based cyber security company, on October 9, 2023, a threat actor going by the alias ‘pwn0001’ posted a thread on 'Breach Forums', brokering access to 815 million (81.5 crore) “Indian Citizen Aadhaar & Passport” records. To put the scale of this data breach in perspective, India’s entire population is just over 1.486 billion people.

The report says "HUNTER investigators established contact with the threat actor and learned they were willing to sell the entire Aadhaar and Indian passport dataset for $80,000". However, it was not immediately clear how the entire data was leaked on the dark web.

The data set includes multiple fields related to Indian citizens, including fields, name, father's name, phone number, passport number, Aadhaar number, age, gender, address and pincode.

"Concurrently, pwn0001 shared spreadsheets containing four large leak samples with fragments of Aadhaar data as proof. One of the leaked samples contains 100,000 records of PII related to Indian residents," says Resecurity report, adding that analysts found out that Aadhaar Card IDs were valid, which were corroborated via the government portal that provides a "Verify Aadhaar" feature.

On August 30, 2023, another threat actor, going by the name ‘Lucius’, posted a thread on Breach Forums promoting a 1.8 terabyte data leak, which says it contains a database of India's internal law enforcement organisation. The dataset includes a person's name, phone number, address, national ID number, and relative names.

"This data set contained an even more extensive array of PII data than pwn0001's. Beyond Aadhaar IDs, Lucius’ leak contained Voter IDs and driving license records," says the Resecurity report.

Such a massive leakage of Indian PII data on the 'Dark Web' creates a significant risk for digital identity theft. "By exploiting these stolen credentials, cybercriminals targeting India can perform a range of financially motivated scams like online banking theft and e-tax refund frauds," the report adds.

Cyberattacks targeting government platforms have increased in India in recent times. In August this year, cybersecurity firm CloudSEK reported that the government's Parivahan website suffered a data breach, exposing its source code and sensitive data of 10,000 users. In June this year, the Aadhaar or passport numbers of COVID-vaccinated beneficiaries were being sold via Telegram by a threat actor.

Notably, with roughly 1.4 billion Aadhaars issued by the UIDAI since this ID service launched in 2009, the Aadhaar system represents one of the largest biometric ID programs on the planet, a 2022 report by the think tank Brookings Institution shows. Aadhaar functions as digital ID, facilitating electronic payments, online know-your-customer (e-KYC) verification, and compatibility with various Indian financial platforms.

Aadhaar also enables e-tax filing, bill payments, and financial assets management. As of February 2023, 60% of India’s eligible voters, or 945 million people, had linked their Aadhaar card to their voter IDs.

To protect Indians' data and ensure it's used for lawful purposes, the Rajya Sabha in August 2023 passed the Digital Personal Data Protection Bill, 2023. The new law aims at safeguarding citizen’s right to personal information. Provisions of the bill will apply to digital personal data within India collected both online or offline and is digitised. Processing of personal data outside will also come under the ambit of the bill if it is for offering goods or services in India.