In what is being described as potentially one of the biggest data leaks in the country's history, personal information belonging to more than 815 million Indians has reportedly been compromised and posted online on the dark web. This extensive breach is believed to have originated from the Indian Council of Medical Research (ICMR) and encompasses sensitive details such as Aadhaar and passport information, names, phone numbers, as well as both temporary and permanent addresses of millions of Indian citizens.
A U.S.-based cybersecurity agency known as Resecurity has issued a comprehensive report on this security breach. According to their findings, a hacker operating under the pseudonym 'pwn0001' disclosed the breach's specifics on Breach Forums on October 9. The hacker claimed to possess 815 million records, comprising Aadhaar and passport data, names, phone numbers, and addresses. These records, as per the hacker, were allegedly extracted from the COVID-19 test registration data maintained by the ICMR. Despite this disclosure, there has been no official confirmation of the data breach from the government.
Resecurity's HUNTER (HUMINT) unit identified millions of personally identifiable information (PII) records, including Aadhaar cards, linked to Indian residents available for sale on the Dark Web.
The hacker, pwn0001, reportedly provided some spreadsheets as proof, which contained segments of Aadhaar data. Among these, there was a dataset with details of 100,000 individuals residing in India. The HUNTER team verified some of the Aadhaar Card IDs from this dataset and confirmed their authenticity by cross-referencing them with a government website designed to verify Aadhaar details.
In a related development on August 30, an individual named 'Lucius' claimed to have leaked a substantial volume of data. This leak, amounting to 1.8 terabytes, was labelled "India Internal Law Enforcement Organization" and included even more personal information than the one attributed to pwn0001. It featured Aadhaar IDs, Voter IDs, and driving license records. Notably, the HUNTER team found records labelled "PREPAID," suggesting that the breach might have originated from a company specializing in prepaid SIM cards. Such companies typically collect personal information to verify the identity of customers before providing mobile services.
As of now, this breach represents a significant concern for data security and privacy in India, and the government's response and efforts to address this incident are awaited.