In a startling revelation, an American cybersecurity agency named Security has unearthed a massive data breach that has impacted more than 81.5 crore Indian citizens.
The agency has exposed that the data, encompassing many Indian individuals, has appeared on the dark web and is purportedly available for sale by an individual using the alias ‘pwn0001.’ A recent report by MoneyControl delves into the details of this alarming breach, shedding light on its origin and the sensitive information it contains.
According to Resecurity, the compromised database, comprising data from over 81.5 crore Indians, was acquired in bulk from another source on the dark web. Shockingly, it is disclosed that this extensive data repository was procured from a now-closed dark web forum in the previous year for a sum of $50,000 (equivalent to Rs 41.64 lakh).
The compromised database was initially advertised as containing crucial information such as Aadhaar and Passport details of Indian citizens. However, the individual behind the alias ‘pwn0001’ has since clarified that only a meager 10 percent of the dataset includes Aadhaar details, and passport details are found in only a few thousand records. In a further revelation, the hacker intended to sell this database for $80,000 to recoup their investment.
To substantiate the validity of the compromised data, the cybersecurity agency Security disclosed that ‘pwn0001’ presented spreadsheets to potential buyers as proof. These spreadsheets contained fragments of UID data.
In a particular instance, one of these fragments contained information related to 1,00,000 individuals residing in India. Resecurity’s HUNTER team verified some Aadhaar Card IDs using this sample data.
The timing of this data breach is noteworthy as India has recently passed the Digital Personal Data Protection Act, which imposes significant penalties on platforms responsible for leaking personal data. Under this law, fines of up to Rs 250 crore can be levied in cases of data breaches. However, it is worth noting that the law has yet to be implemented.
Additionally, Security reported another alleged breach in August involving a substantial 1.8 terabytes of data attributed to an ‘Indian internal law enforcement organization.’
This dataset purportedly contained personally identifiable information, including Aadhaar IDs, Voter IDs, and driving license records. Nevertheless, the Indian government has not officially confirmed or denied the occurrence of this data breach at this time.
