Info of 30 mn Indian railway users on sale on dark web: Report

A hacker forum user, who goes by the alias name Shadowhacker, has been found to be selling about 30 million user records, which include email, phone number, gender and personal info, of Indian railway passengers on the dark web. The authenticity of the stolen data is yet to be verified. The Indian railways and its ticketing arm IRCTC have also not issued any clarification on the hacker’s claims. A post shared on hacker forums shows Shadowhacker claiming there are a lot of government emails and information about important people in the leaked document.

The development comes a day after hackers claimed to have allegedly stolen the data of around 40 crore Twitter users and put it on sale on the dark web. The stolen database contains a lot of information, including emails, and phone numbers of high-profile users, politicians, and companies including Google CEO Sundar Pichai, Bollywood actor Salman Khan, Kevin O'Leary, Vitalik Buterin, among others, a report by Israeli cyber intelligence company Hudson Rock said.

A report by Israeli cyber intelligence company Hudson Rock said at this stage, it is not possible to fully verify there are indeed 400,000,000 users in the database. "From an independent verification, the data itself appears to be legitimate and we will follow up with any developments." It shared a screenshot, purportedly from the hacker, claiming that (s)he's selling data of over 400 million unique Twitter users scraped via a vulnerability. "This data is completely private," Hudson Rock said.

Threat actors have consistently targeted India's major establishments in the recent past. Last month, a ransomware attack, allegedly perpetrated by Chinese hackers, on India's premier medical institute AIIMS, badly affected its services, shutting down its servers for close to 9 hours. The five main servers of the hospital came under attack again on December 2, 2022, putting the medical data of millions of people at risk. Another cyber attack at Delhi's Safdarjung hospital also affected the hospital’s services, though it was not as severe as the one on AIIMS.

A Fortune India story on Digital Policy Paralysis, published on November 4, 2022, had highlighted that India has no law that effectively addresses real-life cases like the cyber attack on AIIMS. The Indian Computer Emergency Response Team (CERT-In) reported more than 6.7 lakh cyber security incidents in the first half of 2022. According to the Cost of Data Breach 2022 report by IBM, the average cost of data breaches in India is $2.32 million. It means a business loses an average ₹17.4 crore in a single data breach.

The legislature has engaged in multiple deliberations and probably used copious amounts of man-hours in preparing three draft bills on the issue of personal data privacy since 2018. However, not only is the latest Draft Bill on Digital Personal Data Protection the most ambiguous and ineffective among the three but it completely fails to ensure data security for Indian citizens.