Resecurity, a US cybersecurity firm, published a blog in early October pointing towards a general trend of the personal data of Indians being sold over the dark web. The firm found that a threat actor had advertised the sale of close to 815 million Aadhaar records for $80,000. The blog, citing other instances when Indians’ personal information was put up for sale, raised concerns about identity theft. A threat actor with the alias ‘pwn0001’ claimed that they could sell records of 815 million Indians, including names, ages, phone numbers, Aadhaar numbers and addresses. pwn0001 shared a sample, which had 1 lakh phone numbers and Aadhaar numbers. The sample dataset includes personal information of children as young as 10. It is yet unclear from which database the records of 81.5 crore Indians, including children’s Personally Identifiable Information (PII), have been breached.
A News18 report claims that the Indian Council of Medical Research (ICMR)’s database was breached. The report also claims Indian Computer Emergency Response Team (CERT-In) has informed ICMR of the breach and it has to verify it. If this indeed proves to be the case, it is unclear why ICMR would have details of 10-year-olds.Resecurity’s HUNTER investigators identified two threat actors brokering access to Indian PII and Aadhaar records on Breach Forums, a leading cybercriminal hub. In October, Resecurity flagged a thread posted by a threat actor using the online handle ‘pwn0001,’ claiming they were in possession of a database containing 815 million Indian citizen Aadhaar and passport records. Concurrently, the actor shared spreadsheets containing four large leak samples with fragments of Aadhaar data as a proof. One of the leaked samples contains 100,000 records of PII related to Indian residents.
In August, another threat actor going by the alias ‘Lucius’ posted a thread on Breach Forums promoting a 1.8 terabyte data leak impacting an unnamed “India internal law enforcement organization.” This data set contained an even more extensive array of PII data than pwn0001‘s.According to Resecurity, one of the main sources of this data – breached 3d parties attacked by cybercriminals to steal PII. Typically, such data is collected by financial institutions, lending companies and mobile carriers, which makes them a target for cyber attacks. Resecurity’s discovery coincides with a global threat landscape that has seen India emerge as a top-five geography for cyberattacks, according to a recent vendor survey. This survey found that India ranked fourth globally in online banking malware detection and top-five globally in all malware detections in the first half of 2023.The leak of PII data containing Aadhaar (and other details) of Indian citizens on the Dark Web creates a significant risk of digital identity theft. Threat actors leverage stolen identity information to commit online banking theft, tax refund frauds, and other cyber-enabled financial crimes.