India is rapidly digitising. There are good things and bad, speed-bumps on the way and caveats to be mindful of. The weekly column Terminal focuses on all that is connected and is not – on digital issues, policy, ideas and themes dominating the conversation in India and the world.Resecurity, a US cybersecurity firm, published a blog in early October pointing towards a general trend of the personal data of Indians being sold over the dark web. The firm found that a threat actor had advertised the sale of close to 815 million Aadhaar records for $80,000. The blog, citing other instances when Indians’ personal information was put up for sale, raised concerns about identity theft. A threat actor with the alias ‘pwn0001’ claimed that they could sell records of 815 million Indians, including names, ages, phone numbers, Aadhaar numbers and addresses. pwn0001 shared a sample, which had 1 lakh phone numbers and Aadhaar numbers. The sample dataset includes personal information of children as young as 10. It is yet unclear from which database the records of 81.5 crore Indians, including children’s Personally Identifiable Information (PII), have been breached. A News18 report claims that the Indian Council of Medical Research (ICMR)’s database was breached. The report also claims Indian Computer Emergency Response Team (CERT-In) has informed ICMR of the breach and it has to verify it. If this indeed proves to be the case, it is unclear why ICMR would have details of 10-year-olds.The push to link Aadhaar cards to everything has proliferated the personal data of Indians across cyberspace, among various public and private firms. There are a few databases with such large-scale personal data of Indians, but it is uncertain which database would have been breached. While the sample dataset can help us verify the genuineness of the data that has been put up for sale, it would still be hard to verify the source. Resecurity points to another threat actor with the alias “Lucius”, who has put up Indian law enforcement data for sale. According to Lucius, 85% of Indians’ personal data – including phone numbers, identity documents and addresses – are available in this dataset for sale. The sample dataset shared by Lucius indicates KYC data of mobile connections with columns for prepaid and postpaid being available in the dataset. Resecurity’s analysis shows that as data sharing is forced on Indians, more threat actors will be able to access large-scale PII data. This is not a new trend for many Indians, who have been used to hearing news of Aadhaar data breaches. What is evident, though, is that the scale of the breach and the size of the data are growing. This trend too can be attributed to the proliferation of Aadhaar across India’s data economy. The US cybersecurity firm is primarily concerned with the associated identity fraud that will follow these large-scale data breaches – online banking fraud, tax refund fraud and other financial crimes. Aadhaar-based frauds have become quite common in India and yet, the regulator won’t address the problem at hand. UIDAI has virtually ignored the Aadhaar data leaks, while promising us a virtual ID solution that disappeared after the litigation around Aadhaar concluded in the Supreme Court. Identifying the breach and plugging it would be important to critically address the issue of cybersecurity and safety for Indians. October is celebrated as “CyberSecurity Awareness Month” by CERT-In. Yet, we don’t really get much cybersecurity awareness other than basic tips and tricks. The cybersecurity landscape is fast changing with increasing data breaches and we need CERT-In to provide actual solutions instead of following a “security-through-obscurity” model. There is no panic or hysteria surrounding this breach. The inaction and continuous forcing of Aadhaar against the Supreme Court’s orders are concerning. Indians deserve better cybersecurity than what is currently in place. The implementation of the Digital Personal Data Protection Act, 2023 can address some of these issues but as long as government exemptions remain, data for government networks will continue to be breached. For true safety, Indians need to be provided with privacy. Instead, we are only offered security in terms of data protection. Even this promise of data protection is faulty, with no actual resources being allocated towards cybersecurity operations. India’s current paradigm of security doesn’t address the emerging challenges people are facing. UIDAI, the RBI, CERT-In and the information technology ministry should all at least acknowledge what is at stake when they force Aadhaar on Indians. Srinivas Kodali is a researcher on digitisation and a hacktivist.
