The personal data of 81,000,000 Indians are up for sale on the dark web in what is reportedly the biggest data leak in the country’s history.
This comes after a breach of the Indian Council of Medical Research (ICMR), though the exact epicentre of the leakage has not yet been determined.
A Twitter account (@pwn0001) has advertised the database on the dark web holding the personal data of 81,000,000 Indians. Aadhaar (an ID number) as well as passport information, phone number and addresses are reported to have been sourced from the ICMR’s database of Covid-19 test details.
Pwn0001 shared spreadsheets containing four large leak samples with fragments of Aadhaar data as proof. One of the leaked samples contains 100,000 records of PII related to Indian residents. In this sample leak, analysts identified valid Aadhaar Card IDs, which were corroborated via a government portal that provides a “Verify Aadhaar” feature.
"First and foremost it's crucial to acknowledge that the information pertaining to an individual’s health is highly sensitive and personal. When individuals share this data with healthcare organizations they do so with the understanding that it will be handled with care and confidentiality.
The breach of such data not only undermines this trust but also exposes individuals to potential identity theft, fraud, and other malicious activities. Healthcare organizations must do everything in their power to safeguard patient data, and one of the most effective approaches is to implement data-centric security measures.
Data-centric security focuses on securing the data itself rather than solely relying on perimeter defences. This approach includes encryption, tokenizations, access controls, data masking, and monitoring, all of which contribute to a multi-layered defence against data breaches."
- Erfan Shadabi, cybersecurity expert at comforte AG
Under a significant amount of pressure, the ICMR saw over 6,000 attempted breaches in the last year alone. Several national agencies had previously asked ICMR to take remedial action to avert data leaks, say sources familiar with the story.
India’s Central Bureau of Investigation (CBI) is likely to conduct a full investigation once the ICMR files a complaint, due to several arrows pointing towards foreign actors being involved.