Aadhaar data of 815 million on sale on the dark web, says report

The hacker was willing to sell the entire Aadhaar and Indian passport dataset for 80,000 US dollars when contacted by Resecurity

Don't want to miss the best from Business Standard?

In a serious data breach, personally identifiable information of 815 million Indians has been up on the dark web for sale, according to a report by US-based cybersecurity firm Resecurity. Details such as Aadhaar and passport information along with names, phone numbers and addresses are available for sale online, it has said.

Media reports suggested that the Indian Council of Medical Research (ICMR) database might have been compromised, given the extensive scope and sensitive nature of the information. Queries sent to ICMR were not answered at press time.

“Securing assets is of importance for businesses in today’s world. The recent incident where the personal information of 815 million Indians was exposed in a data leak highlights the need for companies to take adequate measures,” said Sanjay Kaushik, managing director of Netrika Consulting.

According to the Resecurity website, on October 9 an individual using the alias “pwn0001” shared a post on BreachForums (a darknet crime forum) offering access to 815 million records containing information on “Indian Citizen Aadhaar and Passport”.

The hacker was willing to sell the entire Aadhaar and Indian passport dataset for $80,000 when contacted by Resecurity.

In August this year, another threat actor known as “Lucius” posted a thread on BreachForums offering to sell a 1.8 terabyte data leak related to an unnamed “Indian internal law enforcement organisation”.

In April 2022, the Comptroller and Auditor General conducted an investigation into the Unique Identification Authority of India (UIDAI) and discovered that the authority had not effectively regulated its client vendors and safeguarded the security of their data vaults, as stated in a Brookings report.

Since its inception in 2009, UIDAI has issued approximately 1.4 billion Aadhaar cards. A report from the Brookings Institution in 2022 highlighted that the ID system ranked among the world’s largest biometric identification initiatives.

“Adopting measures like encryption, multifactor authentication and access controls are vital to protect data. Regular security audits and updates are also components of a cybersecurity strategy that can adapt to emerging threats effectively,” said Kaushik.

The exposure of personally identifiable information on the dark web, which includes Aadhaar and other personal details of Indian citizens, poses a substantial threat of digital identity theft. Malicious actors use pilfered identity data to engage in activities such as online banking fraud, tax refund scams and various cyber financial crimes.