ICMR data breach exposes details of 81.5 crore Indians: What you need to know

Personal information of 815 million (81.5 crores) Indian citizens was compromised, when their Aadhar and passport details, names, phone numbers, and address

Personal information of 815 million (81.5 crore) Indian citizens has been compromised, when their Aadhar and passport details, names, phone numbers, and addresses were put up for sale on the dark web. Here’s a rundown of the key details surrounding this alarming breach:

The compromised data is believed to have leaked from the database of the Indian Council of Medical Research (ICMR), raising serious concerns about the security of sensitive medical records. According to reports, the hacker claimed that the data was extracted from the COVID-19 test details of citizens, which were sourced from the ICMR. On October 9, the hacker, using the alias ‘pwn001’ posted a jaw-dropping offer on a notorious dark web forum, listing the entire dataset for sale at $80,000 (approximately Rs 67 lakh).

Cybersecurity firm Resecurity engaged with the hacker ‘pwn001’ who shared spreadsheets containing Aadhar data for verification. Resecurity’s team confirmed the authenticity of the IDs, highlighting the severity of the breach. Since February 2023, there have been more than 6,000 reported cyberattacks on the ICMR. While the medical research organization was made aware of these attempts, it appears that ‘pwn0001’ successfully breached the ICMR’s defenses. This isn’t the first instance of a major data breach affecting Indians. In August, Security reported another breach that involved a colossal 1.8 terabytes of data being sold online with the title ‘Indian internal law enforcement organization’. Disturbingly, this breach also included personally identifiable information sourced from Aadhar IDs, Voter IDs, and driving license records. Some of these records were traced back to a company specializing in pre-paid SIM cards.

Resecurity’s findings coincide with a global threat landscape that has seen India emerge as a top-five geography for cyberattacks, according to a recent vendor survey. This survey found that India ranked fourth globally in online banking malware detection and top-five globally in all malware detections in the first half of 2023. Another breach in June exposed the Aadhaar and/or passport numbers of vaccinated individuals when a Telegram bot enabled individuals to retrieve information from the COWIN vaccination portal’s database. Two people including a minor were arrested for the breach. The legal framework for such data breaches is still pending, as the Digital Personal Data Protection Act of 2023, despite receiving approval from the Parliament and the President’s assent in August, has not yet been officially enforced.