India’s Largest Data Breach: Hackers steal personal data concerning 81.5 crore Indians from right under the government’s nose!

What is worse than getting pickpocketed? It is when someone else tells you that you have gotten pickpocketed and that a piece of cloth hangs out from your garment!

Something precisely like this happened on October 9th, when a hacker with the username ‘pwn0001’ posted a thread on a dark web platform named “breach forum” while brokering access to personal data belonging to 81.5 crore Indian people! To our further shame, our government and intelligence wings remained oblivious to such a critical data breach until an American cybersecurity company, Resecurity, decided to illustrate the matter.

The data leaked reportedly contains:

• Aadhar details;
• Names;
• Phone Numbers;
• Guardians’ names:
• Passport details;
• Age;
• Sex;
• Pincode and State;
• Temporary and permanent address.

Thus, these personal data belonging to 81.5 crore people (comprising 54.85% of India’s population), divided across 1,00,000 files of MS Exel sheets (total size: 90 GB), got advertised on broad daylight with the price tag of Rs. 67 lakh (USD 80,000)!

Experts fear that a data breach of such a gargantuan scale can become a tool for criminals to carry out cybercrimes like ‘identity theft’ and ‘breach of privacy,’ culminating into lethally directed cyberattacks.

From where has the data been leaked?

The hacker named “pwn0001” has claimed that he excavated the data from the ICMR (Indian Council of Medical Research) Database. Reportedly, this data belongs to those Indians who had to get themselves tested for COVID-19! 

Since the data comprising the COVID-19 test information lies scattered across various government-run sites like the National Information Center (NIC), ICMR, and the Ministry of Health, it is rather difficult to ascertain the epicentre (precise source) of the breach. However, the authenticity of the hacker’s claim was verified soon after.

The investigating unit of Resecurity named ‘HUNTER’ corroborated the hacker’s claim by randomly verifying the leaked data through the “Verify Aadhar” portal and concluded that the data getting flaunted were genuine. 

What has been the government’s response?

As shocking as it might seem, both the government and ICMR are yet to make an official statement as a response to what appears to be “India’s Largest Data Breach!“

As an initial response, junior IT Minister Rajeev Chandrasekhar spoke to the NDTV and said, “Not something I am happy about (about the data breach)… (but) CERT (Computer Emergency Response Team) is investigating, as its mandate. (I am) yet not privy to exact details and only understand it is an alleged leak or breach. I have no idea about the size of the (alleged) leak and don’t want to speculate.”

As per standard procedure, the Central Bureau of Investigation (CBI) is likely to investigate the issue and do damage control per the guidelines mentioned in its Standard Operating Procedure (SOP). Some insider reports suggest that ministers and top bureaucrats of several ministries were summoned for an urgent discussion after the news of the data breach was verified. 

Earlier in June 2023, the government-operated CoWIN website got hacked, and the data of many vaccinated citizens (including that of several VVIPs) got leaked. In February 2023, cyber criminals hacked into the AIIMS (All India Institutes of Medical Sciences) server and made away with 1 TB of data. Such was the gravity of the issue that the hospital faculty got coerced into carrying out “manual report keeping” for 15 days, slowing down the already understaffed facility!

While the government advocates a holistic digital transformation of the Indian society, whose cornerstone is the Aadhar digital biometric identity system, such frequent attacks and breaches are extremely perturbing. In 2021-22 alone, the quantum of Aadhar-related scams was worth Rs. 6.5 crores (over the last five years, the figure exceeds Rs. 10 crore)!

In 2018, while reviewing the constitutional validity of the Aadhar, the Honorable Supreme Court mentioned that the provisions of Aadhar, if not monitored cautiously, will transform India into a surveillance state. In this particular verdict, the SC also limited the use of Aadhar to only those fields where citizens were to avail of benefits from the government. 

However, if our data is not safe even in the hands of government-run websites like the ICMR, where lies the credibility of such ostentatious and long-winded dreams of complete digitisation by the government? We ought to remain optimistic that the government will reach a consensus regarding the “security and privacy” of our data soon. Or else, this mere passing-the-buck act by our politicians shall only worsen the situation.