CoWIN Data Leak | Here are the biggest breaches in India's history

On October 12, 2022, cybersecurity researchers from AI-driven Singapore-headquartered CloudSEK discovered a threat actor advertising a database of 1.2 million cards for free on a Russian-speaking Dark Web cybercrime forum. This followed another incident of 7.9 million cardholder data advertised on the BidenCash website. This included data belonging to customers of the State Bank of India (SBI).

On May 22, 2021, Dominos India, a subsidiary of Jubilant FoodWorks, experienced a cyberattack resulting in the leakage of data from 180 million orders. The breach exposed order details, email addresses, phone numbers, and credit card details. Jubilant FoodWorks confirmed an information security incident but denied any unauthorised access to financial information.

In May 2021, Air India fell victim to a cyberattack that compromised the personal details of approximately 4.5 million customers worldwide. The breach exposed personal data registered between August 26, 2011, and February 3, 2021, including names, dates of birth, contact information, passport information, ticket details, Star Alliance and Air India frequent flyer data, as well as credit card data.

In November 2020, online grocer BigBasket suffered a data breach that compromised the personal details of over 20 million users. An unsecured database file containing over 15 GB of user data was hacked into — leaked information included email IDs, password hashes, PINs, phone numbers, addresses, dates of birth, locations, and IP addresses. BigBasket acknowledged the breach and filed a case with the Bengaluru Cyber Crime cell.

In May 2020, the online learning platform Unacademy experienced a data breach that compromised the email data of over 11 million users. While no sensitive information such as financial data or passwords was leaked, user data including IDs, passwords, date joined, last login date, email IDs, names, and user credentials were compromised. The breach was discovered when user accounts were found for sale on the dark web.

In October 2019, a significant data breach involving credit and debit card records occurred in India. Over 1.3 million credit and debit card records from multiple Indian banks were being sold on the dark web. The breach revealed card numbers, expiration dates, CVVs, and fully personally identifiable information, including cardholders' names, emails, phone numbers, and addresses. The data was likely obtained through skimming devices installed on ATMs or Point of Sale systems or through Magecart attacks on e-commerce websites.

In September 2019, India's largest nuclear power plant, the Kudankulam nuclear power plant, faced a data breach. The breach involved the deployment of malware that targeted the plant's IT network. The malware, known as Dtrack, collected information from the plant's administrative network. While the attackers did not gain access to the critical internal systems, they managed to obtain valuable information such as internet search history, operating system registry data, and active processes on infected computers. The malware was traced back to the North Korea-linked Lazarus Group.

In April 2019, Mumbai-based local search engine Justdial experienced a data breach that leaked user details. An unprotected API )Application Programming Interface) endpoint on Justdial's old website and app allowed unauthorised access to user information. The breach exposed names, mobile numbers, email addresses, occupations, and addresses of nearly 100 million users. Justdial acknowledged the vulnerability but contested reports by asserting that user and financial information remained protected through an OTP authentication system.

In January 2019, the State Bank of India (SBI) faced a data breach that exposed customer data and financial details. SBI's 'SBI Quick' service, designed to provide customers with account updates via text and calls, suffered a breach. An unprotected server in SBI's Mumbai data centre exposed customer-specific messages, including mobile numbers, partial account numbers, balances, and transaction details. The server lacked password protection, allowing unauthorised retrieval of sensitive information.

Although SBI resolved the issue after an initial investigation, the bank downplayed the reports and claimed that customer data and financial records remained secure.

In early 2018, concerns arose regarding the security of India's Aadhaar identification database. The Aadhaar database, managed by the Unique Identification Authority of India (UIDAI), was found to be leaking information on registered Indian citizens. This included names, bank details, and other private information, including biometric data. Anonymous sellers on WhatsApp provided unrestricted access to the Aadhaar database, bringing the issue to light. The Tribune had reported that over 1,00,000 ex-employees of the Ministry of Electronics and Information Technology had continued access to the UIDAI system, raising concerns about unauthorised data access.

Multiple instances of data leaks were discovered, including the exposure of Aadhaar information through state government websites and an unprotected system in a state-owned utility company called Indane. Over 130 million citizens' Aadhaar information was compromised due to these breaches, making it one of the largest data breaches in the world, according to the WEF Global Risk Report.

In October 2016, a major data breach affected millions of debit card users. The breach was caused by a malware injection in the Hitachi Payment Services system, which compromised as many as 3.2 million debit cards from major Indian banks. The Hitachi Payment Services system, responsible for ATM and Point of Sale services in India, fell victim to a malware attack. This enabled hackers to extract money from user accounts, resulting in significant losses. The breach went undetected for six weeks, and it was only after several international banks reported fraudulent card use in China and the United States that Indian banks became aware of the situation. State Bank of India (SBI), ICICI, HDFC, YES Bank, and Axis Bank were among the worst affected. SBI alone blocked and reissued 600,000 debit cards, marking one of the largest card replacement exercises in Indian banking history.