Data breaches in India

Last updated

Data breach incidences in India were the second highest globally in 2018, according to a report by digital security firm Gemalto. [1] [2] With over 690 million internet subscribers [3] and growing, India has increasingly seen a rise in data breaches both in the private and public sector. [4] [5] This is a list of some of the biggest data breaches in the country.

Contents

2016 debit card data breach

In October 2016, it was reported [6] [7] that as many as 3.2 million debit cards from major Indian banks were compromised due to a malware injection in the Hitachi Payment Services system. Hitachi provides ATM and Point of sale services in India and the malware enabled hackers to extract money from user accounts. The NPCI (National Payments Corporation of India) reported losses of nearly 13 million INR ($195,000 USD in 2016) in fraudulent transactions. [7] [8] The worst hit banks included the State Bank of India (SBI), ICICI, HDFC, YES Bank and Axis Bank among others. The breach went undetected for 6 weeks and banks were alerted only after several international banks reported fraudulent use of cards in China and the United States while the customers were in India. SBI blocked and reissued 600,000 debit cards and was reported to be one of the biggest card replacements in Indian banking. [9]

Aadhar data breach

India's Aadhar data breach was one of the biggest data breaches in 2018 10breaches2018.png
India's Aadhar data breach was one of the biggest data breaches in 2018

In early 2018, Indian government's identification database Aadhaar (similar to SSN) was reported to be leaking information on every registered Indian citizens [10] including names, bank details and other private information like biometric data. [11] Managed by Unique Identification Authority of India (UIDAI), Aadhar is a unique identification number obtained by over 1.1 billion [12] [13] residents or passport holders of India based on their biometric and demographic data. The data leak was first revealed after anonymous sellers over WhatsApp provided unrestricted access to the Aadhar database for nominal costs. [14] [15] The Tribune, an Indian newspaper reported that over 100,000 ex-employees of the Ministry of Electronics and Information Technology continued to have free access to the UIDAI system and therefore, the Aadhar database. Another data leak was found in the following months wherein a state-owned utility company Indane's (LPG) unprotected system allowed anyone to access private information on all Aadhaar holders. The company had unlimited access to the Aadhar database to verify user accounts and an unprotected API endpoint through the company's system allowed unauthorized queries to the database for potentially all Aadhar holders. [10] Not just indirectly, Aadhar information of over 130 million citizens was breached through state government websites as over 200 government websites erroneously made the database public. [13] [16] [17] The UIDAI has unequivocally denied any data breach in the Aadhar database [18] [19] even though many of the unsecure endpoints and government websites with unauthorized data access were put offline after the reports. UIDAI also filed a case against The Tribune under Sections 419, 420, 468 and 471 of the Indian Penal Code (IPC) alleging false reporting. [20] The WEF Global Risk Report deemed the Aadhar breach as the largest data breach in the world. [21]

SBI data breach

In January 2019, SBI exposed customer data, including mobile numbers, partial account numbers, balances and transaction details from an unprotected server in its Mumbai data center. [22] [23] The server hosted SBI's "SBI Quick" service, a text and call based system to provide inquiring customers with updates on account balances, recent transactions and credit information. [22] The server was not password protected and allowed the retrieval of customer-specific messages through the back-end text messaging system. [23] The outgoing messages from the system were available in real time, along with over two months of daily archives, exposing financial details of millions of customers. Though SBI resolved the issue after the initial investigation by TechCrunch, [24] the bank dismissed the reports, saying customer data and financial records remained secure. [25]

Justdial data breach

In April 2019, the Mumbai-based local search engine Justdial was hit by a data breach that leaked details, including names, mobile numbers, email ids, occupations and addresses of nearly 10 crore (100 million) users. [26] [27] [28] Multiple sources suggested that the leak was due to an unprotected API endpoint [29] [30] accessible since mid-2015 on the company's old website and app. While Justdial admitted to vulnerability of certain user details on the old version of the app, the company largely refuted the reports, suggesting that user and financial information was protected by the search platform through an OTP authentication system. [31]

Kudankulam nuclear power plant data breach

In September 2019, the Nuclear Power Corporation of India (NPCI) confirmed that India's largest nuclear plant, the Kudankulam nuclear power plant was attacked by a malware that collected information on the plant's IT network. [32] [33] The breach was detected after a data file with traces of the Dtrack malware was uploaded on a cyber security firm’s website. [34] CERT-India detected the malware in an infected PC connected to the administrative network. The NPCI claimed that the malware did not have access to the OT network responsible for internal, critical plant systems. [35] Tailored specifically for the plant, the attackers earlier broke into the plant's IT networks and stole admin credentials and used them to gain more information about the plant's networks through the malware. Multiple reports suggested that the malware was solely deployed to collect information, [32] [33] including internet search history from the browser installed on the infected PC, local operating system registry information such as registered owner, registered organization and current user and the list of active processes on the PC. The information was written into temporary files extracted from a remote server by the attacker. The Dtrack malware has been traced back to the North Korea-linked [36] Lazarus Group.

2019 credit and debit card data breach

In October 2019, over 13 lakh (1.3 million) credit and debit card records were being sold to the dark web card shop Joker's Stash, a site used by cybercriminals for buying and selling card details. [37] [38] Group-IB, a Singapore-based company revealed that over 98% of the cards in the database belonged to multiple Indian banks, with each card being sold for over $100. [38] The data breach revealed card numbers, expiration dates along with CVVs. Fully personally identifiable information including cardholders' names, emails, phone numbers and addresses were also available in the database. [37] [39] The card details were possibly obtained via skimming devices, installed either on ATMs or Point of sale (PoS) systems [37] or through Magecart attacks, wherein JavaScript code is injected into e-commerce websites to intercept payment data. [40] Another major card dump of over 460,000 cards was put up for sale on Joker's Stash in February 2020 with similar fully personally identifiable information, selling at $9 per card. [40] The breach is currently deemed to be the biggest card dump on the internet. Investigations on the breach are still pending.

BigBasket data breach

In November 2020, the Bangalore-based online grocer BigBasket suffered a data breach that leaked the details of their over 2 crore (20 million) users, including email IDs, password hashes, PINs, phone numbers, addresses, dates of birth, locations and IP addresses. [41] The data breach was noticed after the data was put on sale on the dark web for almost ₹30 lakh INR ($40000 USD in 2020). [41] The cause of the breach was an unsecure SQL file, potentially hacked into using an SQL injection, that contained over 15 GBs of user data. [42] Bigbasket has acknowledged the breach [43] and filed a case with the Banglore Cyber Crime cell. The breach is currently under investigation.

Unacademy data breach

In May 2020, the Bangalore-based online learning platform Unacademy found compromised email data of over 11 million users but no sensitive information such as financial data, location or passwords has been breached. [44] [45] The breach was revealed after the company's 20 million user accounts were being sold on the dark web for almost ₹1.5 lakh INR ($2,000 USD). [46] [47] Cyble, a cybercrime monitoring company claimed that beyond user accounts, user data including IDs, passwords, date joined, last login date, email IDs, names and user credentials had also been breached. [44] [48] Unacademy is yet to verify whether the entire database was vulnerable to the breach

Air India data breach

On 21 May 2021, it was reported that Air India was subjected to a cyberattack whereas the personal details of about 4.5 million customers around the world were compromised. The breach involved personal data registered between 26 August 2011 and 3 February 2021, with details that included name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data as well as credit card data [49] [50]

Dominos India data breach

On 22 May 2021, it was reported that Dominos India, subsidiary of Jubilant FoodWorks, had witnessed a cyberattack and the data of 18 crore orders were leaked on the dark web including order details, email addresses, phone numbers and credit card details. Jubilant Foodworks stated that they had experienced an information security incident and denied any financial information being accessed by the hackers. [51]

See also

Related Research Articles

A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen, altered or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, information leakage and data spill. Incidents range from concerted attacks by individuals who hack for personal gain or malice, organized crime, political activists or national governments, to poorly configured system security or careless disposal of used computer equipment or data storage media. Leaked information can range from matters compromising national security, to information on actions which a government or official considers embarrassing and wants to conceal. A deliberate data breach by a person privy to the information, typically for political purposes, is more often described as a "leak".

<span class="mw-page-title-main">Aadhaar</span> Indian national identification number

Aadhaar is a 12-digit unique identity number that can be obtained voluntarily by the citizens of India and resident foreign nationals who have spent over 182 days in twelve months immediately preceding the date of application for enrolment, based on their biometric and demographic data. The data is collected by the Unique Identification Authority of India (UIDAI), a statutory authority established in January 2009 by the Government of India, under the jurisdiction of the Ministry of Electronics and Information Technology, following the provisions of the Aadhaar Act, 2016.

<span class="mw-page-title-main">Ram Sewak Sharma</span>

Ram Sewak Sharma is an Indian bureaucrat and former civil servant. From February 2021, he is served as the Chief Executive Officer of the National Health Authority, an Indian governmental organisation tasked with managing public health insurance till February 2023. Previously, he has headed the Telecom Regulatory Authority of India, and the Unique Identification Authority of India.

The National Payments Corporation of India is an umbrella organization for operating retail payments and settlement systems in India, is an initiative of the Reserve Bank of India (RBI) and Indian Banks’ Association (IBA) under the provisions of the Payment and Settlement Systems Act, 2007, for creating a robust Payment & Settlement Infrastructure in India. It was created by RBI for operating retail payments and settlement systems in India.

RuPay(portmanteau of Rupee and Payment) is an Indian multinational financial services and Payment Service System, conceived and launched by the National Payments Corporation of India (NPCI) in 2014. It was created to fulfil the Reserve Bank of India's (RBI) vision of establishing a domestic, open and multilateral system of payments. RuPay facilitates electronic payment at all Indian banks and financial institutions. NPCI maintains ties with Discover Financial and JCB to enable the RuPay Card scheme to gain international acceptance.

Dexter is a computer virus or point of sale malware which infects computers running Microsoft Windows and was discovered by IT security firm Seculert, in December 2012. It infects PoS systems worldwide and steals sensitive information such as credit and debit card information.

<span class="mw-page-title-main">Ration card (India)</span> Ration Card

Ration cards are an official document issued by state governments in India to households that are eligible to purchase subsidised food grain from the Public Distribution System under the National Food Security Act (NFSA). They also serve as a common form of identification for many Indians.

National Electoral Roll Purification and Authentication Programme (NERPAP) is voter registration project of the Election Commission of India. It will link the Elector's Photo Identity Card (EPIC) with the Aadhaar number of the registered voter. It aims to create an error-free voter identification system in India, especially by removing duplications. The project was launched on 3 March 2015.

DigiLocker is a digitization service provided by the Indian Ministry of Electronics and Information Technology (MeitY) under its Digital India initiative. DigiLocker allows access to digital versions of various documents including drivers licenses, vehicle registration certificates and academic mark sheets. It also provides 1 GB storage space to each account to upload scanned copies of legacy documents.

Unorganised Workers' Identification Number or UWIN is a proposed unique number to be issued as identity proof to unorganised workers in India.

<span class="mw-page-title-main">Aadhaar Act, 2016</span>

The Aadhaar Act, 2016 is a money bill of the Parliament of India. It aims to provide legal backing to the Aadhaar unique identification number project. It was passed on 11 March 2016 by the Lok Sabha. Certain provisions of the Act came into force from 12 July 2016 and 12 September 2016.

<span class="mw-page-title-main">Point-of-sale malware</span>

Point-of-sale malware is usually a type of malicious software (malware) that is used by cybercriminals to target point of sale (POS) and payment terminals with the intent to obtain credit card and debit card information, a card's track 1 or track 2 data and even the CVV code, by various man-in-the-middle attacks, that is the interception of the processing at the retail checkout point of sale system. The simplest, or most evasive, approach is RAM-scraping, accessing the system's memory and exporting the copied information via a remote access trojan (RAT) as this minimizes any software or hardware tampering, potentially leaving no footprints. POS attacks may also include the use of various bits of hardware: dongles, trojan card readers, (wireless) data transmitters and receivers. Being at the gateway of transactions, POS malware enables hackers to process and steal thousands, even millions, of transaction payment data, depending upon the target, the number of devices affected, and how long the attack goes undetected. This is done before or outside of the card information being (usually) encrypted and sent to the payment processor for authorization.

JAM trinity refers to the government of India initiative to link Jan Dhan accounts, mobile numbers and Aadhaar cards of Indians to plug the leakages of government subsidies.

The 2016 Indian bank data breach was reported in October 2016. It was estimated 3.2 million debit cards were compromised. Major Indian banks, among them SBI, HDFC Bank, ICICI, YES Bank and Axis Bank, were among the worst hit. The breach went undetected for months and was first detected after several banks reported fraudulent use of their customers’ cards in China and the United States, while these customers were in India.

BHIM is an Indian mobile payment app developed by the National Payments Corporation of India (NPCI), based on the Unified Payments Interface (UPI). Launched on 30 December 2016, it is intended to facilitate e-payments directly through banks and encourage cashless transactions. It was named after Dr Bhimrao Ambedkar.

<span class="mw-page-title-main">Airtel Payments Bank</span> Indian Payments Bank

Airtel Payments Bank is an Indian payments bank with its headquarters in New Delhi. The company is a subsidiary of Bharti Airtel. On 5 January 2022, it was granted the scheduled bank status by Reserve Bank of India under second schedule of RBI Act, 1934.

Identity documents of India are increasingly used to transact and obtain government benefits in India.

ShinyHunters is a criminal black-hat hacker group that is believed to have formed in 2020 and is said to have been involved in numerous data breaches. The stolen information is often sold on the dark web.

References

  1. "JustDial data leak exposed personal details of 100 million users: IT expert". Business Standard India. 18 April 2019. Retrieved 4 December 2020.
  2. "Data breach in India second highest after US in H1,2018: Gemalto - Times of India". The Times of India. 15 October 2018. Retrieved 7 December 2020.
  3. "Total internet users in India". Statista. Retrieved 9 December 2020.
  4. "India sees 37% increase in data breaches, cyber attacks this year". The Week. Retrieved 9 December 2020.
  5. "India saw a 37% increase in cyberattacks in the first three months of 2020". Business Insider. Retrieved 9 December 2020.
  6. Gopakumar, Gopika (9 February 2017). "Malware caused India's biggest debit card data breach: Audit report". mint. Retrieved 8 December 2020.
  7. 1 2 Shukla, Saloni; Bhakta, Pratik. "3.2 million debit cards compromised; SBI, HDFC Bank, ICICI, YES Bank and Axis worst hit". The Economic Times. Retrieved 8 December 2020.
  8. "Millions of Indian debit cards 'compromised' in security breach". BBC News. 21 October 2016. Retrieved 8 December 2020.
  9. "Multiple banks hit: 3.2 million debit cards compromised; how it happened, what happens now?". The Indian Express. 21 October 2016. Retrieved 8 December 2020.
  10. 1 2 Whittaker, Zack. "A new data leak hits Aadhaar, India's national ID database". ZDNet. Retrieved 8 December 2020.
  11. Doshi, Vidhi (4 January 2018). "A security breach in India has left a billion people at risk of identity theft". The Washington Post. Archived from the original on 5 January 2018.
  12. "1 bn records compromised in Aadhaar breach since January: Gemalto". @businessline. 15 October 2018. Retrieved 8 December 2020.
  13. 1 2 "Indian state government leaks thousands of Aadhaar numbers". TechCrunch. Retrieved 8 December 2020.
  14. "India's national ID database is reportedly accessible for less than $10". TechCrunch. Retrieved 8 December 2020.
  15. "Rs 500, 10 minutes, and you have access to billion Aadhaar details". Tribuneindia News Service. Retrieved 8 December 2020.
  16. "Aadhaar: World's largest ID database exposed by India government errors". The Economic Times. Retrieved 8 December 2020.
  17. "130 mn Aadhaar numbers were not leaked, they were treated as publicly shareable data: CIS". Tech2. 3 May 2017. Retrieved 8 December 2020.
  18. Twitter https://twitter.com/uidai/status/977549782796259331 . Retrieved 9 December 2020.{{cite web}}: Missing or empty |title= (help)
  19. Whittaker, Zack. "A new data leak hits Aadhaar, India's national ID database". ZDNet. Retrieved 9 December 2020.
  20. "UIDAI files FIR against The Tribune reporter over story on Aadhaar data breach". India Today. 7 January 2018. Retrieved 9 December 2020.
  21. "Aadhaar Data Breach Largest in the World, Says WEF's Global Risk Report and Avast". Moneylife NEWS & VIEWS. Retrieved 8 December 2020.
  22. 1 2 "SBI data leak: What happened? What can you do? All you need to know". www.businesstoday.in. February 2019. Retrieved 7 December 2020.
  23. 1 2 "India's largest bank SBI leaked account data on millions of customers". TechCrunch. Retrieved 7 December 2020.
  24. Ramesh, Prasad (31 January 2019). "SBI data leak in India results in information of millions of customers exposed online". Security Boulevard. Retrieved 7 December 2020.
  25. Das, Saikat. "State Bank of India: SBI denies data leak charges, but customers be on alert". The Economic Times. Retrieved 7 December 2020.
  26. "Justdial suffers massive data breach! Over 10 cr users' details exposed; company denies reports". news.abplive.com. 18 April 2019. Retrieved 4 December 2020.
  27. "Data of 10 crore Justdial users exposed since 2015: Researcher". Inshorts - Stay Informed. Retrieved 4 December 2020.
  28. Ganjoo, Shweta (18 April 2019). "JustDial data breach: Personal data of over 100 million users exposed online". India Today. Retrieved 5 December 2020.
  29. "Over 100 Million JustDial Users' Personal Data Found Exposed On the Internet". The Hacker News. Retrieved 4 December 2020.
  30. "JustDial data leak exposed personal details of 100 million users: IT expert". Business Standard India. 18 April 2019. Retrieved 4 December 2020.
  31. "Justdial suffers massive data breach! Over 10 cr users' details exposed; company denies reports". news.abplive.com. 18 April 2019. Retrieved 5 December 2020.
  32. 1 2 Palani, Kartik; Anantharaman, Prashant (20 November 2019). "What happened when the Kudankulam nuclear plant was hacked – and what real danger did it pose?". Scroll.in. Retrieved 9 December 2020.
  33. 1 2 Porup, J. M. (9 December 2019). "How a nuclear plant got hacked". CSO Online. Retrieved 9 December 2020.
  34. Das, Debak. "Analysis | An Indian nuclear power plant suffered a cyberattack. Here's what you need to know". Washington Post. ISSN   0190-8286 . Retrieved 9 December 2020.
  35. "Cyber attack at Kudankulam; critical system safe". Hindustan Times. 29 October 2019. Retrieved 9 December 2020.
  36. "Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups | U.S. Department of the Treasury". home.treasury.gov. Retrieved 9 December 2020.
  37. 1 2 3 Cimpanu, Catalin. "Details for 1.3 million Indian payment cards put up for sale on Joker's Stash". ZDNet. Retrieved 9 December 2020.
  38. 1 2 Mehta, Ivan (29 October 2019). "1.3 million Indian bank cards are up for sale on the dark web". The Next Web. Retrieved 9 December 2020.
  39. Ganjoo, Shweta (1 November 2019) [October 31, 2019]. "Details of 1.3 million Indian credit and debit cards selling online: Everything you need to know in 10 points". India Today. Retrieved 9 December 2020.
  40. 1 2 "Joker's Stash Advertises Second Batch of Indian Card Data". www.bankinfosecurity.com. Retrieved 9 December 2020.
  41. 1 2 "Explained: How big is the Bigbasket data breach?". The Indian Express. 12 November 2020. Retrieved 9 December 2020.
  42. K., Balakumar (9 November 2020). "Online grocery store BigBasket leaks out big data - possibly 20 million". TechRadar. Retrieved 9 December 2020.
  43. Chakravarti, Ankita (10 November 2020) [November 9, 2020]. "BigBasket confirms data breach of 2 crore BB users, here is what we know so far". India Today. Retrieved 9 December 2020.
  44. 1 2 "Unacademy Suffers Data Breach; 22 Mn Users' Records for Sale". CISO MAG | Cyber Security Magazine. 7 May 2020. Retrieved 9 December 2020.
  45. "Unacademy hacked, data of 20 million users up for sale". The Week. Retrieved 9 December 2020.
  46. Ahmad, Samreen. "Unacademy data hacked, names and passwords put on sale: Security firm" . Retrieved 9 December 2020.
  47. Mathur, Natasha (7 May 2020). "Unacademy Data Breach: Data of Nearly 22 Million Users Sold On Dark Web". Mashable India. Retrieved 9 December 2020.
  48. Ahaskar, Abhijit (6 May 2020). "Millions of Unacademy user accounts exposed in data breach: Report". mint. Retrieved 9 December 2020.
  49. "Explained: What is the data breach that has hit Air India customers?". The Indian Express. 22 May 2021. Retrieved 23 May 2021.
  50. "Air India cyberattack: Personal data of over 4.5 million passengers leaked". The Irish Times. Retrieved 23 May 2021.
  51. Chakravarti, Ankita (22 May 2021). "Leaked data of Dominos India users now available on search engine created by hacker". India Today. Archived from the original on 25 May 2021. Retrieved 28 May 2021.