Massive dark web data leak exposes India to digital identity theft and financial scams, warns Resecurity

On October 15, Resecurity HUNTER issued a concerning blog post, stating that an unidentified threat actor, operating under the alias 'pwn0001,' advertised the sale of 815 million "Indian Citizen Aadhaar and Passport" records on Breach Forums. The offer, posted on October 9, came with a price tag of $80,000 for the entire dataset.

The 'threat actor' claimed that this data was derived from COVID-19 test records of Indian citizens and allegedly sourced from the Indian Council of Medical Research (ICMR). It's noteworthy that ICMR had been subjected to numerous cyber-attack attempts since February, with over 6,000 incidents reported last year. Central agencies and the council were well aware of these threats and had urged ICMR to take remedial actions to safeguard the data.

Despite numerous attempts to reach out, News18 received no response from the ICMR DG as of October 28, making it imperative for further investigation and clarifications.

This data breach has raised concerns about foreign actors' potential involvement, and top officials from various agencies and ministries are already addressing the situation. Remedial actions are underway, and a Standard Operating Procedure (SoP) has been implemented to mitigate the damage.

The Resecurity report pointed out that the dataset offered by the threat actor pwn0001 contained personally identifiable information (PII) records, encompassing sensitive details such as names, father's names, phone numbers, passport numbers, Aadhaar numbers, ages, genders, addresses, districts, pincodes, and states.

However, pwn0001 declined to reveal the source of this data, leaving the cause of the breach to speculation.

“Concurrently, pwn0001 shared spreadsheets containing four large leak samples with fragments of Aadhaar data as proof. One of the leaked samples contains 100,000 records of PII related to Indian residents. In this sample leak, HUNTER analysts identified valid Aadhaar Card IDs, which were corroborated via a government portal that provides a "Verify Aadhaar" feature. This feature allows people to validate the authenticity of Aadhaar credentials,” it added.

Resecurity also highlighted another threat actor going by the alias ‘Lucius’ that posted on August 30 a thread on Breach Forums promoting a 1.8 terabyte data leak impacting an unnamed “India internal law enforcement organisation.”

The report goes on to say the data set contained an even more extensive array of PII data than pwn0001's. Beyond Aadhaar IDs, Lucius’ leak contained Voter IDs and driving license records.

According to Resecurity, the threat actor may be referencing law enforcement to plant a red herring and conceal the real intrusion vector that enabled them to acquire the data or/and it may just be trying to generate hype around their offering.

Highlighting the first breach scenario, HUNTER analysts identified multiple records with the signature "PREPAID." They said the signature may be related to the leak from one of the telecommunication carriers that offer pre-paid SIM cards and similar services using such information for KYC (Know Your Customer).

“These service offerings also entail the collection of PII data to validate customers prior to the activation of mobile services,” it added.