Massive Dark Web Data Breach Puts India at Risk of Digital Identity Theft and Financial Fraud, Resecurity Warns

According to a report from the HUNTER division of the U.S. cybersecurity company Resecurity, it is considered the most extensive data breach event in India, with the personal information of 815 million citizens now available for sale on the dark web. This shocking discovery underscores the urgent need to strengthen data security measures.

In an interview, Resecurity emphasized that the significant leakage of Indian personally identifiable information (PII) data on the dark web poses a massive risk of digital identity theft. Cybercriminals may exploit this stolen identity information to carry out various financially motivated frauds in India.

Furthermore, "threat actors" have indicated through updated posts that this data originates from government systems. These pieces of information might have leaked when third parties collected data for "know your customer" (KYC) purposes.

On October 15, Resecurity HUNTER published a concerning blog post, stating that an unidentified threat actor, operating under the alias "pwn0001," posted an advertisement on the Breachforums forum claiming to sell 8.15 billion records of "Indian citizen Aadhaar and passport" data. This advertisement was posted on October 9, with the entire dataset priced at $80,000.

The "threat actor" claims that this data comes from COVID-19 test records of Indian citizens during the COVID-19 pandemic, purportedly sourced from the Indian Council of Medical Research (ICMR). Notably, ICMR has been the target of multiple hacking attempts since February this year, with over 6,000 reported cyberattacks. Indian government agencies and committees are fully aware of these threats and have urged ICMR to take adequate remedial measures to safeguard the data.

This data breach has raised concerns about potential involvement of foreign actors, and senior officials from Indian agencies and ministries are addressing the situation. Remedial measures are being taken, and standard operating procedures (SoP) have been implemented to mitigate the losses.

Resecurity's report indicates that the dataset provided by the "pwn0001" threat actor includes personal identifiable information (PII) records containing various sensitive details such as names, father's names, phone numbers, passport numbers, Aadhaar numbers, ages, genders, addresses, regions, PIN codes, and states, among other information.

However, "pwn0001" has refused to disclose the source of this data, leaving the reasons for the leak purely speculative.

Meanwhile, "pwn0001" shared spreadsheets containing four significant leak samples, using Aadhaar data fragments as evidence. One of the leaked samples contains 100,000 PII records related to Indian residents.

Resecurity's report states that in this leaked sample, HUNTER analysts identified valid Aadhaar card IDs, which were confirmed through the Indian government portal's "verify Aadhaar" feature. This feature allows people to verify the authenticity of Aadhaar credentials.

Resecurity also highlights another threat actor, operating under the alias "Lucius," who posted an advertisement on the BreachForums forum on August 30, announcing a 1.8TB data leak affecting an undisclosed "Indian internal law enforcement organization."

The report continues to mention that the PII data in the dataset "Lucius" leaked is even more extensive than the data released by "pwn0001." In addition to Aadhaar IDs, the information disclosed by "Lucius" includes voter IDs and driver's license records.

According to Resecurity, the threat actors may be using law enforcement department references to divert attention and hide the true intrusion vectors that allowed them to access the data or are merely attempting to generate publicity around their products.

HUNTER analysts emphasized the first breach scenario, identifying multiple records with a "PREPAID" signature. They stated that this signature might be related to a telecom operator's breach, which offers prepaid SIM cards and similar services, using such information for KYC (know your customer) purposes.

The report adds, "These service products also require the collection of PII data to verify customers before activating mobile services."