Data breaches in India

From HandWiki
Short description: List of data breaches in India

Data breach incidences in India were the second highest globally in 2018, according to a report by digital security firm Gemalto.[1][2] With over 690 million internet subscribers[3] and growing, India has increasingly seen a rise in data breaches both in the private and public sector.[4][5] This is a list of some of the biggest data breaches in the country.

2016 debit card data breach

Main page: 2016 Indian Banks data breach

In October 2016, it was reported[6][7] that as many as 3.2 million debit cards from major Indian banks were compromised due to a malware injection in the Hitachi Payment Services system. Hitachi provides ATM and Point of sale services in India and the malware enabled hackers to extract money from user accounts. The NPCI (National Payments Corporation of India) reported losses of nearly 13 million INR ($195,000 USD in 2016) in fraudulent transactions.[7][8] The worst hit banks included the State Bank of India (SBI), ICICI, HDFC, YES Bank and Axis Bank among others. The breach went undetected for 6 weeks and banks were alerted only after several international banks reported fraudulent use of cards in China and the United States while the customers were in India . SBI blocked and reissued 600,000 debit cards and was reported to be one of the biggest card replacements in Indian banking.[9]

Aadhar data breach

India's Aadhar data breach was one of the biggest data breaches in 2018

In early 2018, Indian government's identification database Aadhaar (similar to SSN) was reported to be leaking information on every registered Indian citizens[10] including names, bank details and other private information like biometric data.[11] Managed by Unique Identification Authority of India (UIDAI), Aadhar is a unique identification number obtained by over 1.1 billion[12][13] residents or passport holders of India based on their biometric and demographic data. The data leak was first revealed after anonymous sellers over WhatsApp provided unrestricted access to the Aadhar database for nominal costs.[14][15] The Tribune, an Indian newspaper reported that over 100,000 ex-employees of the Ministry of Electronics and Information Technology continued to have free access to the UIDAI system and therefore, the Aadhar database. Another data leak was found in the following months wherein a state-owned utility company Indane's (LPG) unprotected system allowed anyone to access private information on all Aadhaar holders. The company had unlimited access to the Aadhar database to verify user accounts and an unprotected API endpoint through the company's system allowed unauthorized queries to the database for potentially all Aadhar holders.[10] Not just indirectly, Aadhar information of over 130 million citizens was breached through state government websites as over 200 government websites erroneously made the database public.[13][16][17] The UIDAI has unequivocally denied any data breach in the Aadhar database[18][19] even though many of the unsecure endpoints and government websites with unauthorized data access were put offline after the reports. UIDAI also filed a case against The Tribune under Sections 419, 420, 468 and 471 of the Indian Penal Code (IPC) alleging false reporting.[20] The WEF Global Risk Report deemed the Aadhar breach as the largest data breach in the world.[21]

SBI data breach

In January 2019, SBI exposed customer data, including mobile numbers, partial account numbers, balances and transaction details from an unprotected server in its Mumbai data center.[22][23] The server hosted SBI's "SBI Quick" service, a text and call based system to provide inquiring customers with updates on account balances, recent transactions and credit information.[22] The server was not password protected and allowed the retrieval of customer-specific messages through the back-end text messaging system.[23] The outgoing messages from the system were available in real time, along with over two months of daily archives, exposing financial details of millions of customers. Though SBI resolved the issue after the initial investigation by TechCrunch,[24] the bank dismissed the reports, saying customer data and financial records remained secure.[25]

Justdial data breach

In April 2019, the Mumbai -based local search engine Justdial was hit by a data breach that leaked details, including names, mobile numbers, email ids, occupations and addresses of nearly 10 crore (100 million) users.[26][27][28] Multiple sources suggested that the leak was due to an unprotected API endpoint[29][30] accessible since mid-2015 on the company's old website and app. While Justdial admitted to vulnerability of certain user details on the old version of the app, the company largely refuted the reports, suggesting that user and financial information was protected by the search platform through an OTP authentication system.[31]

Kudankulam nuclear power plant data breach

In September 2019, the Nuclear Power Corporation of India (NPCI) confirmed that India's largest nuclear plant, the Kudankulam nuclear power plant was attacked by a malware that collected information on the plant's IT network.[32][33] The breach was detected after a data file with traces of the Dtrack malware was uploaded on a cyber security firm’s website.[34] CERT-India detected the malware in an infected PC connected to the administrative network. The NPCI claimed that the malware did not have access to the OT network responsible for internal, critical plant systems.[35] Tailored specifically for the plant, the attackers earlier broke into the plant's IT networks and stole admin credentials and used them to gain more information about the plant's networks through the malware. Multiple reports suggested that the malware was solely deployed to collect information,[32][33] including internet search history from the browser installed on the infected PC, local operating system registry information such as registered owner, registered organization and current user and the list of active processes on the PC. The information was written into temporary files extracted from a remote server by the attacker. The Dtrack malware has been traced back to the North Korea-linked[36] Lazarus Group.

2019 credit and debit card data breach

In October 2019, over 13 lakh (1.3 million) credit and debit card records were being sold to the dark web card shop Joker's Stash, a site used by cybercriminals for buying and selling card details.[37][38] Group-IB, a Singapore-based company revealed that over 98% of the cards in the database belonged to multiple Indian banks, with each card being sold for over $100.[38] The data breach revealed card numbers, expiration dates along with CVVs. Fully personally identifiable information including cardholders' names, emails, phone numbers and addresses were also available in the database.[37][39] The card details were possibly obtained via skimming devices, installed either on ATMs or Point of sale (PoS) systems[37] or through Magecart attacks, wherein JavaScript code is injected into e-commerce websites to intercept payment data.[40] Another major card dump of over 460,000 cards was put up for sale on Joker's Stash in February 2020 with similar fully personally identifiable information, selling at $9 per card.[40] The breach is currently deemed to be the biggest card dump on the internet. Investigations on the breach are still pending.

BigBasket data breach

In November 2020, the Bangalore-based online grocer BigBasket suffered a data breach that leaked the details of their over 2 crore (20 million) users, including email IDs, password hashes, PINs, phone numbers, addresses, dates of birth, locations and IP addresses.[41] The data breach was noticed after the data was put on sale on the dark web for almost ₹30 lakh INR ($40000 USD in 2020).[41] The cause of the breach was an unsecure SQL file, potentially hacked into using an SQL injection, that contained over 15 GBs of user data.[42] Bigbasket has acknowledged the breach[43] and filed a case with the Banglore Cyber Crime cell. The breach is currently under investigation.

Unacademy data breach

In May 2020, the Bangalore-based online learning platform Unacademy found compromised email data of over 11 million users but no sensitive information such as financial data, location or passwords has been breached.[44][45] The breach was revealed after the company's 20 million user accounts were being sold on the dark web for almost ₹1.5 lakh INR ($2,000 USD).[46][47] Cyble, a cybercrime monitoring company claimed that beyond user accounts, user data including IDs, passwords, date joined, last login date, email IDs, names and user credentials had also been breached.[44][48] Unacademy is yet to verify whether the entire database was vulnerable to the breach

Air India data breach

On 21 May 2021, it was reported that Air India was subjected to a cyberattack whereas the personal details of about 4.5 million customers around the world were compromised. The breach involved personal data registered between 26 August 2011 and 3 February 2021, with details that included name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data as well as credit card data[49][50]

Dominos India data breach

On 22 May 2021, it was reported that Dominos India, subsidiary of Jubilant FoodWorks, had witnessed a cyberattack and the data of 18 crore orders were leaked on the dark web including order details, email addresses, phone numbers and credit card details. Jubilant Foodworks stated that they had experienced an information security incident and denied any financial information being accessed by the hackers.[51]

See also

References

  1. "JustDial data leak exposed personal details of 100 million users: IT expert". Business Standard India. 2019-04-18. https://www.business-standard.com/article/technology/justdial-data-leak-exposed-personal-details-of-100-million-users-it-expert-119041800271_1.html#:~:text=Justdial,%20a%20company%20that%20provides,cyber-security%20researcher%20Rajshekhar%20Rajaharia.. 
  2. "Data breach in India second highest after US in H1,2018: Gemalto - Times of India" (in en). October 15, 2018. https://timesofindia.indiatimes.com/business/india-business/data-breach-in-india-second-highest-after-us-in-h12018-gemalto/articleshow/66227056.cms. 
  3. "Total internet users in India" (in en). https://www.statista.com/statistics/255146/number-of-internet-users-in-india/. 
  4. "India sees 37% increase in data breaches, cyber attacks this year" (in en). https://www.theweek.in/news/biz-tech/2020/11/17/india-sees-37-increase-in-data-breaches-cyber-attacks-this-year.html. 
  5. "India saw a 37% increase in cyberattacks in the first three months of 2020". https://www.businessinsider.in/tech/news/india-saw-a-37-increase-in-cyberattacks-in-the-first-three-months-of-2020/articleshow/75914735.cms. 
  6. Gopakumar, Gopika (2017-02-09). "Malware caused India's biggest debit card data breach: Audit report" (in en). https://www.livemint.com/Industry/jVF2Aw72w0DcBsUGseV0UP/Malware-caused-Indias-biggest-debit-card-fraud-Audit-repor.html. 
  7. 7.0 7.1 Shukla, Saloni; Bhakta, Pratik. "3.2 million debit cards compromised; SBI, HDFC Bank, ICICI, YES Bank and Axis worst hit". The Economic Times. https://economictimes.indiatimes.com/industry/banking/finance/banking/3-2-million-debit-cards-compromised-sbi-hdfc-bank-icici-yes-bank-and-axis-worst-hit/articleshow/54945561.cms?from=mdr. 
  8. "Millions of Indian debit cards 'compromised' in security breach" (in en-GB). BBC News. 2016-10-21. https://www.bbc.com/news/world-asia-india-37725187. 
  9. "Multiple banks hit: 3.2 million debit cards compromised; how it happened, what happens now?" (in en). 2016-10-21. https://indianexpress.com/article/explained/multiple-banks-hit-3-2-million-debit-cards-compromised-how-it-happened-what-happens-now-3094108/. 
  10. 10.0 10.1 Whittaker, Zack. "A new data leak hits Aadhaar, India's national ID database" (in en). https://www.zdnet.com/article/another-data-leak-hits-india-aadhaar-biometric-database/. 
  11. Doshi, Vidhi (4 January 2018). "A security breach in India has left a billion people at risk of identity theft". The Washington Post. https://www.washingtonpost.com/news/worldviews/wp/2018/01/04/a-security-breach-in-india-has-left-a-billion-people-at-risk-of-identity-theft/. 
  12. "1 bn records compromised in Aadhaar breach since January: Gemalto" (in en). 15 October 2018. https://www.thehindubusinessline.com/news/1-bn-records-compromised-in-aadhaar-breach-since-january-gemalto/article25224758.ece. 
  13. 13.0 13.1 "Indian state government leaks thousands of Aadhaar numbers" (in en-US). https://social.techcrunch.com/2019/01/31/aadhaar-data-leak/. 
  14. "India's national ID database is reportedly accessible for less than $10" (in en-US). https://social.techcrunch.com/2018/01/04/indias-national-id-database-is-reportedly-accessible-for-less-than-10/. 
  15. "Rs 500, 10 minutes, and you have access to billion Aadhaar details" (in en). https://www.tribuneindia.com/news/archive/nation/rs-500-10-minutes-and-you-have-access-to-billion-aadhaar-details-523361. 
  16. "Aadhaar: World's largest ID database exposed by India government errors". The Economic Times. https://economictimes.indiatimes.com/news/economy/policy/worlds-largest-id-database-exposed-by-india-government-errors/articleshow/64169884.cms?from=mdr. 
  17. "130 mn Aadhaar numbers were not leaked, they were treated as publicly shareable data: CIS". 2017-05-03. https://www.firstpost.com/tech/news-analysis/130-mn-aadhaar-numbers-were-not-leaked-they-were-treated-as-publicly-shareable-data-cis-3702187.html. 
  18. "Error: no |title= specified when using {{Cite web}}" (in en). https://twitter.com/uidai/status/977549782796259331. 
  19. Whittaker, Zack. "A new data leak hits Aadhaar, India's national ID database" (in en). https://www.zdnet.com/article/another-data-leak-hits-india-aadhaar-biometric-database/. 
  20. "UIDAI files FIR against The Tribune reporter over story on Aadhaar data breach" (in en). January 7, 2018. https://www.indiatoday.in/india/story/aadhaar-data-breach-fir-tribune-story-data-uidai-1124160-2018-01-07. 
  21. "Aadhaar Data Breach Largest in the World, Says WEF's Global Risk Report and Avast". https://www.moneylife.in/article/aadhaar-data-breach-largest-in-the-world-says-wefs-global-risk-report-and-avast/56384.html. 
  22. 22.0 22.1 "SBI data leak: What happened? What can you do? All you need to know". February 2019. https://www.businesstoday.in/technology/sbi-data-leak-what-happened-sbi-data-breach-financial-data/story/316071.html. 
  23. 23.0 23.1 "India's largest bank SBI leaked account data on millions of customers" (in en-US). https://social.techcrunch.com/2019/01/30/state-bank-india-data-leak/. 
  24. Ramesh, Prasad (2019-01-31). "SBI data leak in India results in information of millions of customers exposed online" (in en-US). https://securityboulevard.com/2019/01/sbi-data-leak-in-india-results-in-information-of-millions-of-customers-exposed-online/. 
  25. Das, Saikat. "State Bank of India: SBI denies data leak charges, but customers be on alert". The Economic Times. https://economictimes.indiatimes.com/industry/banking/finance/banking/sbi-denies-data-leak-charges-but-customers-be-on-alert/articleshow/67779161.cms?from=mdr. 
  26. "Justdial suffers massive data breach! Over 10 cr users' details exposed; company denies reports" (in en). 2019-04-18. https://news.abplive.com/news/gadgets/justdial-suffers-massive-data-breach-over-10-cr-users-details-exposed-company-denies-reports-968341. 
  27. "Data of 10 crore Justdial users exposed since 2015: Researcher" (in en). https://inshorts.com/en/news/data-of-10-crore-justdial-users-exposed-since-2015-researcher-1555422518238. 
  28. Ganjoo, Shweta (April 18, 2019). "JustDial data breach: Personal data of over 100 million users exposed online" (in en). https://www.indiatoday.in/technology/news/story/justdial-data-breach-personal-data-of-over-100-million-users-exposed-online-1504929-2019-04-18. 
  29. "Over 100 Million JustDial Users' Personal Data Found Exposed On the Internet" (in en). https://thehackernews.com/2019/04/justdial-hacked-data-breach.html. 
  30. "JustDial data leak exposed personal details of 100 million users: IT expert". Business Standard India. 2019-04-18. https://www.business-standard.com/article/technology/justdial-data-leak-exposed-personal-details-of-100-million-users-it-expert-119041800271_1.html#:~:text=Justdial,%20a%20company%20that%20provides,cyber-security%20researcher%20Rajshekhar%20Rajaharia. 
  31. "Justdial suffers massive data breach! Over 10 cr users' details exposed; company denies reports" (in en). 2019-04-18. https://news.abplive.com/news/gadgets/justdial-suffers-massive-data-breach-over-10-cr-users-details-exposed-company-denies-reports-968341. 
  32. 32.0 32.1 Palani, Kartik; Anantharaman, Prashant (20 November 2019). "What happened when the Kudankulam nuclear plant was hacked – and what real danger did it pose?" (in en-US). https://scroll.in/article/943954/what-happened-when-the-kudankulam-nuclear-plant-was-hacked-and-what-real-danger-did-it-pose. 
  33. 33.0 33.1 Porup, J. M. (2019-12-09). "How a nuclear plant got hacked" (in en). https://www.csoonline.com/article/3488816/how-a-nuclear-plant-got-hacked.html. 
  34. Das, Debak. "Analysis | An Indian nuclear power plant suffered a cyberattack. Here's what you need to know." (in en-US). Washington Post. ISSN 0190-8286. https://www.washingtonpost.com/politics/2019/11/04/an-indian-nuclear-power-plant-suffered-cyberattack-heres-what-you-need-know/. 
  35. "Cyber attack at Kudankulam; critical system safe" (in en). 2019-10-29. https://www.hindustantimes.com/india-news/cyber-attack-on-kudankulam-plant-network-not-possible/story-4b5QiRVGuTtTi4MlOexadL.html. 
  36. "Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups | U.S. Department of the Treasury". https://home.treasury.gov/news/press-releases/sm774. 
  37. 37.0 37.1 37.2 Cimpanu, Catalin. "Details for 1.3 million Indian payment cards put up for sale on Joker's Stash" (in en). https://www.zdnet.com/article/details-for-1-3-million-indian-payment-cards-put-up-for-sale-on-jokers-stash/. 
  38. 38.0 38.1 Mehta, Ivan (2019-10-29). "1.3 million Indian bank cards are up for sale on the dark web" (in en-us). https://thenextweb.com/security/2019/10/29/1-3-million-indian-bank-cards-are-up-for-sale-on-the-dark-web/. 
  39. Ganjoo, Shweta (November 1, 2019). "Details of 1.3 million Indian credit and debit cards selling online: Everything you need to know in 10 points" (in en). https://www.indiatoday.in/technology/features/story/details-of-1-3m-indian-cards-selling-online-everything-you-need-to-know-in-10-points-1614411-2019-10-31. 
  40. 40.0 40.1 "Joker's Stash Advertises Second Batch of Indian Card Data" (in en). https://www.bankinfosecurity.com/jokers-stash-advertises-second-batch-indian-card-data-a-13697. 
  41. 41.0 41.1 "Explained: How big is the Bigbasket data breach?" (in en). 2020-11-12. https://indianexpress.com/article/explained/explained-how-big-is-the-bigbasket-data-breach-7026688/. 
  42. K., Balakumar (November 9, 2020). "Online grocery store BigBasket leaks out big data - possibly 20 million" (in en). https://www.techradar.com/news/data-breach-at-bigbasket-20-million-users-privacy-may-have-been-hit. 
  43. Chakravarti, Ankita (November 10, 2020). "BigBasket confirms data breach of 2 crore BB users, here is what we know so far" (in en). https://www.indiatoday.in/technology/features/story/bigbasket-confirms-data-breach-of-2-crore-bb-users-here-is-what-we-know-so-far-1739342-2020-11-09. 
  44. 44.0 44.1 "Unacademy Suffers Data Breach; 22 Mn Users' Records for Sale" (in en-US). 2020-05-07. https://cisomag.eccouncil.org/unacademy-data-breach/. 
  45. "Unacademy hacked, data of 20 million users up for sale" (in en). https://www.theweek.in/news/sci-tech/2020/05/07/unacademy-hacked-data-of-20-mn-users-up-for-sale.html. 
  46. Ahmad, Samreen. "Unacademy data hacked, names and passwords put on sale: Security firm" (in en). https://www.business-standard.com/article/companies/unacademy-s-database-hacked-information-of-11-million-users-compromised-120050701280_1.html. 
  47. Mathur, Natasha (2020-05-07). "Unacademy Data Breach: Data of Nearly 22 Million Users Sold On Dark Web" (in en-in). https://in.mashable.com/tech/13837/unacademy-data-breach-data-of-nearly-22-million-users-sold-on-dark-web. 
  48. Ahaskar, Abhijit (2020-05-06). "Millions of Unacademy user accounts exposed in data breach: Report" (in en). https://www.livemint.com/technology/tech-news/over-20-mn-unacademy-user-accounts-exposed-in-data-breach-report-11588775083410.html. 
  49. "Explained: What is the data breach that has hit Air India customers?" (in en). 2021-05-22. https://indianexpress.com/article/explained/air-india-sita-data-breach-explained-7325501/. 
  50. "Air India cyberattack: Personal data of over 4.5 million passengers leaked" (in en). The Irish Times. https://www.irishtimes.com/news/world/asia-pacific/air-india-cyberattack-personal-data-of-over-4-5-million-passengers-leaked-1.4572596. 
  51. Chakravarti, Ankita (22 May 2021). "Leaked data of Dominos India users now available on search engine created by hacker". India Today. https://www.indiatoday.in/technology/news/story/leaked-data-of-dominos-india-users-now-available-on-search-engine-created-by-hacker-1805595-2021-05-22.