800m Indians reportedly exposed in massive data breach

Highly sensitive personal information belonging to more than 800 million Indians is being offered online for $80,000, according to a US security firm.

Over half of more than 1.4 billion people in the world’s most populous nation may have been affected by the alleged breach, which could be India’s biggest if confirmed.

The US-based cybersecurity company Resecurity said it had identified millions of personal information records belonging to Indian residents on sale on the dark web in early October.

The personal data offered online reportedly includes Aadhaar biometric ID cards and passport information, as well as names, phone numbers, and addresses.

Aadhaar is the world’s largest biometric ID system, with an estimated number of 1.4 billion cards issued by government authorities since the program’s launch in 2009. The cards hold biometric information such as fingerprints and iris scans.

Both citizen and non-citizen residents of India can be issued an Aadhaar card, which is voluntary but can function as a digital ID for online payments. There are also plans to link it with voter registration, and 60% of India’s 945 million eligible voters have already done so.

According to Indian media reports, the data was extracted from COVID-19 test details of citizens registered with the Indian Council of Medical Research (ICMR), the country’s leading medical research institution.

As reported by The Hindu, a Chennai-based daily, the ICMR has faced multiple cyberattacks since February. In June, a Telegram chat allowed people to fetch entries from the CoWIN vaccination portal’s database, potentially leading to the Aadhaar or passport number leak, it said.

At the time, India’s government denied reports of the leak, which experts described as potentially one of the country’s worst digital security breaches. The episode is reportedly being probed.

Resecurity said it had already observed a spike in incidents involving Aadhaar IDs and warned that it created a “significant risk” of digital identity theft, with the potential to leverage the stolen information in cyber-enabled financial crimes, such as online banking or tax refund frauds.