A blog post published by US-based cybersecurity firm Resecurity, has claimed that personal identifiable information of about 815 million which is 81.5 crore Indians has been leaked on the dark web. The report reveals that data including names, phone numbers, addresses, Aadhaar, passport information are for sale online. The blog post was cited by media portals Business Standard, Times Now, Mint among many others.
“On 9 October, a threat actor going by the name ‘pwn0001’ posted a thread on Breach Forums brokering access to 815 million “Indian Citizen Aadhaar & Passport” records.” Notably, India’s entire population is over 1.486 billion people,” Resecurity wrote in the blogpost.
The blogpost further claims the company also added that its HUNTER (HUMINT) unit investigators who established contact with the threat actor, learned that they were willing to sell the entire Aadhaar and Indian passport database for $80,000.
An Aadhaar is a unique, 12-digit individual identification number “issued by the Unique Identification Authority of India on behalf of the Government of India,” according to the UIDAI website. Aadhaar enrollment is strictly voluntary and only proves residence in India, not Indian citizenship. Beyond the PII found on traditional ID documents, Aadhaars include “core biometrics,” including 10 fingerprints and two iris scans, according to a September 2023 UIDAI brochure.
Mentioning the Brookings report, the blog further stated, “Election Commission of India wants to link their voter registration database with Aadhaar, a move that would have profound consequences not only for the privacy of Indian citizens but for the future of biometric databases worldwide.”
Resecurity’s HUNTER Investigators have identified two threat actors on the new breach forums. On October 9th, a threat actor going by the alias ‘Lucius’ posted a thread on Breach Forums promoting a 1.8 terabyte data leak impacting an unnamed “India internal law enforcement organization,” according to the blog.
As per media reports, the Central Bureau of Investigation (CBI) is currently investigating the breach that was discovered by hacker “pwn0001.”
Another report by News18 states that the compromised data might be from the Indian Council of Medical Research (ICMR) database.
Similarly, a report from the credit-rating agency Moody’s had also raised concerns last month regarding this data breach and Aadhar’s biometric authentication control. But, the Indian government’s Press Information Bureau quickly refused the claims, pointing out the absence of breaches in the database.
However, the data breach claim has come as a major blow to the government, which has been taking steps to digitize the economy and has built digital public infrastructure (DPI) based on biometric identification.