An American cyber security company has said that the personally identifiable information of many Indian citizens, including Aadhaar numbers and passport details, were being sold on the dark web
The story so far: On October 15, Resecurity, an American cyber security company, said that personally identifiable information of 815 million Indian citizens, including Aadhaar numbers and passport details, were being sold on the dark web. Threat actors were willing to sell the data for $80,000, the company said in a blog post. It further said that the data on sale was found to be valid. The threat actors selling the data claimed it was sourced from the Indian Council of Medical Research (ICMR), which has been subjected to numerous cyber-attack attempts with 6,000 incidents being reported last year alone.
What is the nature of the Personally Identifiable Information?
Personally Identifiable Information or PII is information that when used alone or with other relevant data, can identify an individual. PII may be direct identifiers like passport information or quasi-identifiers that can be combined with other information to successfully recognise an individual. The data being sold on the dark web included one’s Aadhaar number, a unique 12-digit individual identification number issued by the Unique Identification Authority of India (UIDAI) on behalf of the Indian government. This data was being sold by a threat actor going by the name pwn0001.
However, another threat actor by the name of “Lucius” also claimed to have access to a more extensive array of PII data which included voter IDs and driving licence records.
How did such actors gain access to sensitive data?
Threat actors selling stolen data on the dark web declined to specify how they obtained the data without which any effort to identify the source of the data leak would be speculative. Lucius, the second threat actor found selling data online claimed to have access to a 1.8 terabyte data leak impacting an unnamed “India internal law enforcement agency”. However, the claim is yet to be authenticated.
India’s junior IT minister Rajeev Chandrasekhar shared that the country’s Computer Emergency Response Team is investigating reports of the data leak, and that the government is still working on moving massive amounts of data, including legacy data collected over the past decades, to a safe storage. However, he did not confirm or comment on the size of the alleged leak.
Data samples observed by researchers contain multiple references to UIDAI and Aadhaar cards, as well as voter ID cards. It is also possible that threat actors successfully breached a third-party aggregating these details.
How secure is our PII data?
While the government of India has often denied allegations of biometric data leak from Aadhaar in the past, Mr. Chandrasekhar said the government ecosystem will take time to transition to a bullet proof set-up, one which manages data and keeps it in a safe and responsible manner. He further said that Aadhaar data leaks were also reported in 2018, 2019, and 2022, with three instances of large-scale leaks being reported, including one in which farmer’s data stored on the PM Kisan website was made available on the dark web.
Earlier this year, reports emerged that a bot on the messaging platform Telegram was returning personal data of Indian citizens who registered with the COVID-19 vaccine intelligence network (CoWIN) portal.
At the time, the Health Ministry denied reports of a data breach and said that allegations were “mischievous in nature and that CERT-In was reviewing the existing security infrastructure of the portal.”
However, UIDAI on its website says all Aadhaar holders’ data is safe and secure in the Central Identities Data Repository (CIDR) of UIDAI and that they have never been breached in all its years of existence. It further adds that UIDAI uses advanced security technologies to keep data safe and keeps upgrading them to meet emerging security threats and challenges.
What are the threats arising from the leaked information?
India being one of the fastest growing economies of the world, ranked fourth globally in all malware detection in the first half of 2023, according to a survey from Resecurity. A separate vendor survey of 200 Indian IT decision makers published in September produced similar findings where 45% of Indian businesses said they experienced more than a 50% rise in disruptive cyberattacks last year. The report also found that 67% of Indian government and essential services organisations experienced over a 50% increase in disruptive cyberattacks.
The unrest in West Asia and increase in attacks by threat actors capitalising on the chaos exposed personally identifiable data significantly, increasing the risk of digital identity theft. Threat actors leverage stolen identity information to commit online-banking theft, tax frauds, and other cyber-enabled financial crimes.
A significant spike in incidents involving Aadhaar IDs and their leakage on underground cybercriminal forums by threat actors are looking to harm Indian national and residents, Resecurity said in a blog post.
What can users do to safeguard their personal information?
Users should try to ascertain if their information was leaked in the data leak. Users should also be alert and approach emails for unknown sources with caution as stolen information may be used to target users in phishing campaigns.
It is also advised to change existing user IDs and passwords to ensure that stolen data cannot be used for launching brute force attacks.
Users should also implement two-factor authentication for all their accounts and inform the concerned authorities in case they notice any suspicious activity in their online accounts.