Select Page

A recent alleged massive Aadhar data breach was identified where an individual with the alias “pwn001” shared a post on a dark web forum that listed the personal data of 815 million Indians (81.5 crore Indians).

As per the US based cybersecurity firm Resecurity data including names, phone numbers, addresses, Aadhaar, passport information are for sale online. How did a hacker hack into these secured private information of millions of Indians? How did it access such large amount of information? What went wrong and how can it impact these people and organisations?

“While the absolute root cause for this has not yet been identified immediately, major fingers are pointing towards a third-party data leak. The hacker in this case “pwn001” has shared some sample spreadsheets which indicated that this leak could have originated from third party organizations that offer SIM cards to customers,” highlighted Srinivasa Rao, Partner- Risk Advisory Services, Nangia & Co LLP.

Further revealing other potential reasons behind this massive data breach, he said it can be attributed to undiscovered vulnerabilities at the database level, lack of database security hardening, insider threats and risks originating from third parties.

“This incident underscores the need for stringent security governance practices and oversight when sharing sensitive data with external third parties and partners. To protect citizens’ information, organizations must prioritize robust security practices and continuous monitoring, both within their systems by way of periodic Information Security and Cyber Security Audits and across their network of partners and vendors as well,” Rao suggested.

He further asserted to have an independent cyber security reviews, from other agencies, which are not working with the organisation as vendors, for a comprehensive control review.

What could be the potential impact?

The data breach would not just lead to identity theft but also financial losses owing to identity theft, and use of one’s identity to perpetrate cybercrime.

Santosh Das, Principal Product Manager, Microsoft through a post on LinkedIn revealed some of the potential impacts of this data leak.

“Aadhaar authentication is used by many service providers to validate the identity of individuals. The first step of an attacker in a kill chain is to do social engineering and this rich accurate data can bypass this step thus lowering the barrier to entry of attackers to perpetrate cybercrime,” he said.

“Bad actors would use vishing techniques to build credibility based on the data that they already have and pose as a credible agency or as a verifier and ask for credentials or OTP to do Aadhaar authentication,” Das further said.

He added how they can go one step further and try to impersonate one, obtain a new SIM card from service providers after obtaining information about one’s photo by social engineering from social media.

“Performing swim swap fraud would be the next step. Once they’re able to have control over SIM card they can perform Aadhaar authentication easily against other devices. Cardless ATM withdrawal of cash is offered by a few institutions based on Aadhaar authentication and if the perpetrator is successful, it can lead to financial losses.” Das stated.

What is the current situation?

“On 9 October, a threat actor going by the name ‘pwn0001’ posted a thread on Breach Forums brokering access to 815 million “Indian Citizen Aadhaar & Passport” records.” Notably, India’s entire population is over 1.486 billion people,” the US firm wrote in a blog post.

It said that its HUNTER (HUMINT) unit investigators who established contact with the threat actor, learned that they were willing to sell entire Aadhaar and Indian passport database for USD 80,000.

The Central Bureau of Investigation (CBI) is currently investigating the breach that was discovered by hacker “pwn0001″, as per media reports.

It was also revealed recently through a social media post that unknown hackers have leaked the personal data of over 800 million Indians Of COVID 19. The leaked data includes: Name, Father’s name, Phone number, Other number, Passport number, Aadhaar number, Age, etc. (Attach the post link).

Earlier in June as well, the government had launched an investigation into a data breach after personal data of vaccinated citizens, including VVIPs, from the CoWin website was allegedly leaked.

  • Published On Nov 2, 2023 at 07:57 AM IST

Join the community of 2M+ industry professionals

Subscribe to our newsletter to get latest insights & analysis.

Download ETBFSI App

  • Get Realtime updates
  • Save your favourite articles

icon g play

icon app store


Scan to download App
bfsi barcode

Share it on social networks