Data breaches in India
Data breach incidences in India were the second highest globally in 2018, according to a report by digital security firm Gemalto.[1][2] With over 690 million internet subscribers[3] and growing, India has increasingly seen a rise in data breaches both in the private and public sector.[4][5] This is a list of some of the biggest data breaches in the country.
2016 debit card data breach
[edit]In October 2016, it was reported[6][7] that as many as 3.2 million debit cards from major Indian banks were compromised due to a malware injection in the Hitachi Payment Services system. Hitachi provides ATM and Point of sale services in India and the malware enabled hackers to extract money from user accounts. The NPCI (National Payments Corporation of India) reported losses of nearly 13 million INR ($195,000 USD in 2016) in fraudulent transactions.[7][8] The worst hit banks included the State Bank of India (SBI), ICICI, HDFC, YES Bank and Axis Bank among others. The breach went undetected for 6 weeks and banks were alerted only after several international banks reported fraudulent use of cards in China and the United States while the customers were in India. SBI blocked and reissued 600,000 debit cards and was reported to be one of the biggest card replacements in Indian banking.[9]
Aadhar data breach
[edit]In early 2018, Indian government's identification database Aadhaar (similar to SSN) was reported to be leaking information on every registered Indian citizens[10] including names, bank details and other private information like biometric data.[11] Managed by Unique Identification Authority of India (UIDAI), Aadhar is a unique identification number obtained by over 1.1 billion[12][13] residents or passport holders of India based on their biometric and demographic data. The data leak was first revealed after anonymous sellers over WhatsApp provided unrestricted access to the Aadhar database for nominal costs.[14][15] The Tribune, an Indian newspaper reported that over 100,000 ex-employees of the Ministry of Electronics and Information Technology continued to have free access to the UIDAI system and therefore, the Aadhar database. Another data leak was found in the following months wherein a state-owned utility company Indane's (LPG) unprotected system allowed anyone to access private information on all Aadhaar holders. The company had unlimited access to the Aadhar database to verify user accounts and an unprotected API endpoint through the company's system allowed unauthorized queries to the database for potentially all Aadhar holders.[10] Not just indirectly, Aadhar information of over 130 million citizens was breached through state government websites as over 200 government websites erroneously made the database public.[13][16][17] The UIDAI has unequivocally denied any data breach in the Aadhar database[18][19] even though many of the insecure endpoints and government websites with unauthorized data access were put offline after the reports. UIDAI also filed a case against The Tribune under Sections 419, 420, 468 and 471 of the Indian Penal Code (IPC) alleging false reporting.[20] The WEF Global Risk Report deemed the Aadhar breach as the largest data breach in the world.[21]
SBI data breach
[edit]In January 2019, SBI exposed customer data, including mobile numbers, partial account numbers, balances and transaction details from an unprotected server in its Mumbai data center.[22][23] The server hosted SBI's "SBI Quick" service, a text and call based system to provide inquiring customers with updates on account balances, recent transactions and credit information.[22] The server was not password protected and allowed the retrieval of customer-specific messages through the back-end text messaging system.[23] The outgoing messages from the system were available in real time, along with over two months of daily archives, exposing financial details of millions of customers. Though SBI resolved the issue after the initial investigation by TechCrunch,[24] the bank dismissed the reports, saying customer data and financial records remained secure.[25]
Justdial data breach
[edit]In April 2019, the Mumbai-based local search engine Justdial was hit by a data breach that leaked details, including names, mobile numbers, email ids, occupations and addresses of nearly 10 crore (100 million) users.[26][27][28] Multiple sources suggested that the leak was due to an unprotected API endpoint[29][30] accessible since mid-2015 on the company's old website and app. While Justdial admitted to vulnerability of certain user details on the old version of the app, the company largely refuted the reports, suggesting that user and financial information was protected by the search platform through an OTP authentication system.[31]
Kudankulam nuclear power plant data breach
[edit]In September 2019, the Nuclear Power Corporation of India (NPCI) confirmed that India's largest nuclear plant, the Kudankulam nuclear power plant was attacked by a malware that collected information on the plant's IT network.[32][33] The breach was detected after a data file with traces of the Dtrack malware was uploaded on a cyber security firm's website.[34] CERT-India detected the malware in an infected PC connected to the administrative network. The NPCI claimed that the malware did not have access to the OT network responsible for internal, critical plant systems.[35] Tailored specifically for the plant, the attackers earlier broke into the plant's IT networks and stole admin credentials and used them to gain more information about the plant's networks through the malware. Multiple reports suggested that the malware was solely deployed to collect information,[32][33] including internet search history from the browser installed on the infected PC, local operating system registry information such as registered owner, registered organization and current user and the list of active processes on the PC. The information was written into temporary files extracted from a remote server by the attacker. The Dtrack malware has been traced back to the North Korea–linked[36] Lazarus Group.
2019 credit and debit card data breach
[edit]In October 2019, over 13 lakh (1.3 million) credit and debit card records were being sold to the dark web card shop Joker's Stash, a site used by cybercriminals for buying and selling card details.[37][38] Group-IB, a Singapore-based company revealed that over 98% of the cards in the database belonged to multiple Indian banks, with each card being sold for over $100.[38] The data breach revealed card numbers, expiration dates along with CVVs. Fully personally identifiable information including cardholders' names, emails, phone numbers and addresses were also available in the database.[37][39] The card details were possibly obtained via skimming devices, installed either on ATMs or Point of sale (PoS) systems[37] or through Magecart attacks, wherein JavaScript code is injected into e-commerce websites to intercept payment data.[40] Another major card dump of over 460,000 cards was put up for sale on Joker's Stash in February 2020 with similar fully personally identifiable information, selling at $9 per card.[40] The breach is currently deemed to be the biggest card dump on the internet. Investigations on the breach are still pending.
BigBasket data breach
[edit]In November 2020, the Bangalore-based online grocer BigBasket suffered a data breach that leaked the details of their over 2 crore (20 million) users, including email IDs, password hashes, PINs, phone numbers, addresses, dates of birth, locations and IP addresses.[41] The data breach was noticed after the data was put on sale on the dark web for almost ₹30 lakh INR ($40000 USD in 2020).[41] The cause of the breach was an unsecure SQL file, potentially hacked into using an SQL injection, that contained over 15 GBs of user data.[42] Bigbasket has acknowledged the breach[43] and filed a case with the Banglore Cyber Crime cell. The breach is currently under investigation.
Unacademy data breach
[edit]In May 2020, the Bangalore-based online learning platform Unacademy found compromised email data of over 11 million users but no sensitive information such as financial data, location or passwords has been breached.[44][45] The breach was revealed after the company's 20 million user accounts were being sold on the dark web for almost ₹1.5 lakh INR ($2,000 USD).[46][47] Cyble, a cybercrime monitoring company claimed that beyond user accounts, user data including IDs, passwords, date joined, last login date, email IDs, names and user credentials had also been breached.[44][48] Unacademy is yet to verify whether the entire database was vulnerable to the breach
Air India data breach
[edit]On 21 May 2021, it was reported that Air India was subjected to a cyberattack whereas the personal details of about 4.5 million customers around the world were compromised. The breach involved personal data registered between 26 August 2011 and 3 February 2021, with details that included name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data as well as credit card data[49][50]
Dominos India data breach Rajasthan Healthcare Data Breach
[edit]On 22 May 2021, it was reported that Dominos India, subsidiary of Jubilant FoodWorks, had witnessed a cyberattack and the data of 18 crore orders were leaked on the dark web including order details, email addresses, phone numbers and credit card details. Jubilant Foodworks stated that they had experienced an information security incident and denied any financial information being accessed by the hackers.[51]
Rajasthan Healthcare Data Breach
[edit]In June 2024, a cybersecurity researcher discovered and responsibly disclosed a data breach in a subdomain of the Rajasthan government’s health system. The breach was caused by misconfigured access controls, which left sensitive healthcare data exposed. While the system was vulnerable, there were no official reports of exploitation before it was mitigated. The researcher adhered to ethical practices by avoiding interaction with sensitive data and reported the issue to the National Critical Information Infrastructure Protection Centre (NCIIPC), which promptly secured the system.[52]
See also
[edit]References
[edit]- ^ "JustDial data leak exposed personal details of 100 million users: IT expert". Business Standard India. 18 April 2019. Retrieved 4 December 2020.
- ^ "Data breach in India second highest after US in H1,2018: Gemalto - Times of India". The Times of India. 15 October 2018. Retrieved 7 December 2020.
- ^ "Total internet users in India". Statista. Retrieved 9 December 2020.
- ^ "India sees 37% increase in data breaches, cyber attacks this year". The Week. Retrieved 9 December 2020.
- ^ "India saw a 37% increase in cyberattacks in the first three months of 2020". Business Insider. Retrieved 9 December 2020.
- ^ Gopakumar, Gopika (9 February 2017). "Malware caused India's biggest debit card data breach: Audit report". mint. Retrieved 8 December 2020.
- ^ a b Shukla, Saloni; Bhakta, Pratik. "3.2 million debit cards compromised; SBI, HDFC Bank, ICICI, YES Bank and Axis worst hit". The Economic Times. Retrieved 8 December 2020.
- ^ "Millions of Indian debit cards 'compromised' in security breach". BBC News. 21 October 2016. Retrieved 8 December 2020.
- ^ "Multiple banks hit: 3.2 million debit cards compromised; how it happened, what happens now?". The Indian Express. 21 October 2016. Retrieved 8 December 2020.
- ^ a b Whittaker, Zack. "A new data leak hits Aadhaar, India's national ID database". ZDNet. Retrieved 8 December 2020.
- ^ Doshi, Vidhi (4 January 2018). "A security breach in India has left a billion people at risk of identity theft". The Washington Post. Archived from the original on 5 January 2018.
- ^ "1 bn records compromised in Aadhaar breach since January: Gemalto". @businessline. 15 October 2018. Retrieved 8 December 2020.
- ^ a b "Indian state government leaks thousands of Aadhaar numbers". TechCrunch. Retrieved 8 December 2020.
- ^ "India's national ID database is reportedly accessible for less than $10". TechCrunch. Retrieved 8 December 2020.
- ^ "Rs 500, 10 minutes, and you have access to billion Aadhaar details". Tribuneindia News Service. Retrieved 8 December 2020.
- ^ "Aadhaar: World's largest ID database exposed by India government errors". The Economic Times. Retrieved 8 December 2020.
- ^ "130 mn Aadhaar numbers were not leaked, they were treated as publicly shareable data: CIS". Tech2. 3 May 2017. Retrieved 8 December 2020.
- ^ @UIDAI (24 March 2018). "There is no truth in this story as there has been absolutely no breach of UIDAI's Aadhaar database. Aadhaar remains safe and secure. 2/8" (Tweet) – via Twitter.
- ^ Whittaker, Zack. "A new data leak hits Aadhaar, India's national ID database". ZDNet. Retrieved 9 December 2020.
- ^ "UIDAI files FIR against The Tribune reporter over story on Aadhaar data breach". India Today. 7 January 2018. Retrieved 9 December 2020.
- ^ "Aadhaar Data Breach Largest in the World, Says WEF's Global Risk Report and Avast". Moneylife NEWS & VIEWS. Retrieved 8 December 2020.
- ^ a b "SBI data leak: What happened? What can you do? All you need to know". www.businesstoday.in. February 2019. Retrieved 7 December 2020.
- ^ a b "India's largest bank SBI leaked account data on millions of customers". TechCrunch. Retrieved 7 December 2020.
- ^ Ramesh, Prasad (31 January 2019). "SBI data leak in India results in information of millions of customers exposed online". Security Boulevard. Retrieved 7 December 2020.
- ^ Das, Saikat. "State Bank of India: SBI denies data leak charges, but customers be on alert". The Economic Times. Retrieved 7 December 2020.
- ^ "Justdial suffers massive data breach! Over 10 cr users' details exposed; company denies reports". news.abplive.com. 18 April 2019. Retrieved 4 December 2020.
- ^ "Data of 10 crore Justdial users exposed since 2015: Researcher". Inshorts - Stay Informed. Retrieved 4 December 2020.
- ^ Ganjoo, Shweta (18 April 2019). "JustDial data breach: Personal data of over 100 million users exposed online". India Today. Retrieved 5 December 2020.
- ^ "Over 100 Million JustDial Users' Personal Data Found Exposed On the Internet". The Hacker News. Retrieved 4 December 2020.
- ^ "JustDial data leak exposed personal details of 100 million users: IT expert". Business Standard India. 18 April 2019. Retrieved 4 December 2020.
- ^ "Justdial suffers massive data breach! Over 10 cr users' details exposed; company denies reports". news.abplive.com. 18 April 2019. Retrieved 5 December 2020.
- ^ a b Palani, Kartik; Anantharaman, Prashant (20 November 2019). "What happened when the Kudankulam nuclear plant was hacked – and what real danger did it pose?". Scroll.in. Retrieved 9 December 2020.
- ^ a b Porup, J. M. (9 December 2019). "How a nuclear plant got hacked". CSO Online. Retrieved 9 December 2020.
- ^ Das, Debak. "Analysis | An Indian nuclear power plant suffered a cyberattack. Here's what you need to know". Washington Post. ISSN 0190-8286. Retrieved 9 December 2020.
- ^ "Cyber attack at Kudankulam; critical system safe". Hindustan Times. 29 October 2019. Retrieved 9 December 2020.
- ^ "Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups". United States Department of the Treasury. Retrieved 9 December 2020.
- ^ a b c Cimpanu, Catalin. "Details for 1.3 million Indian payment cards put up for sale on Joker's Stash". ZDNet. Retrieved 9 December 2020.
- ^ a b Mehta, Ivan (29 October 2019). "1.3 million Indian bank cards are up for sale on the dark web". The Next Web. Retrieved 9 December 2020.
- ^ Ganjoo, Shweta (1 November 2019) [October 31, 2019]. "Details of 1.3 million Indian credit and debit cards selling online: Everything you need to know in 10 points". India Today. Retrieved 9 December 2020.
- ^ a b "Joker's Stash Advertises Second Batch of Indian Card Data". www.bankinfosecurity.com. Retrieved 9 December 2020.
- ^ a b "Explained: How big is the Bigbasket data breach?". The Indian Express. 12 November 2020. Retrieved 9 December 2020.
- ^ K., Balakumar (9 November 2020). "Online grocery store BigBasket leaks out big data - possibly 20 million". TechRadar. Retrieved 9 December 2020.
- ^ Chakravarti, Ankita (10 November 2020) [November 9, 2020]. "BigBasket confirms data breach of 2 crore BB users, here is what we know so far". India Today. Retrieved 9 December 2020.
- ^ a b "Unacademy Suffers Data Breach; 22 Mn Users' Records for Sale". CISO MAG | Cyber Security Magazine. 7 May 2020. Retrieved 9 December 2020.
- ^ "Unacademy hacked, data of 20 million users up for sale". The Week. Retrieved 9 December 2020.
- ^ Ahmad, Samreen. "Unacademy data hacked, names and passwords put on sale: Security firm". Retrieved 9 December 2020.
- ^ Mathur, Natasha (7 May 2020). "Unacademy Data Breach: Data of Nearly 22 Million Users Sold On Dark Web". Mashable India. Retrieved 9 December 2020.
- ^ Ahaskar, Abhijit (6 May 2020). "Millions of Unacademy user accounts exposed in data breach: Report". mint. Retrieved 9 December 2020.
- ^ "Explained: What is the data breach that has hit Air India customers?". The Indian Express. 22 May 2021. Retrieved 23 May 2021.
- ^ "Air India cyberattack: Personal data of over 4.5 million passengers leaked". The Irish Times. Retrieved 23 May 2021.
- ^ Chakravarti, Ankita (22 May 2021). "Leaked data of Dominos India users now available on search engine created by hacker". India Today. Archived from the original on 25 May 2021. Retrieved 28 May 2021.
- ^ Das, Rudra (22 October 2024). "How I Stumbled Upon a Major Data Breach in India's Healthcare System". Medium. Retrieved 11 December 2024.