Dr.M. Suresh Babu, President, Praja Science Vedika
Sensitive personal data of 81.5 million India users have leaked and surfaced on the dark web. The stolen information comprises Aadhaar and passport details, names, phone numbers and temporary and permanent addresses. The data reportedly comes from the information collected by Indian Council of Medical Research (ICMR) during COVID-19 testing. Data breaches involving sensitive personal information, particularly in the context of medical data, can have severe consequences for individuals and organizations. Medical data, also known as Protected Health Information (PHI) in India, typically includes information such as patient records, medical history, treatment plans, and personal identifiers. Sensitive medical data often includes highly personal and confidential information, such as medical diagnoses, treatment histories, medications, and potentially even genetic data. In many cases, this data is subject to legal protections and regulations, but in India there is no such Health Insurance Portability and Accountability Act.
Sensitive information belonging to 81.5 crore Indians has emerged on the dark web, potentially marking the biggest data breach in India’s history. The leak has been brought to attention by ‘pwn0001’ –– a hacker –– who advertised the stolen information on the dark web. The information is believed to have come from the data collected by the Indian Council of Medical Research (ICMR) during COVID-19 testing. However, the epicentre of the leak is still unknown. As per the data shared by the hacker, the stolen information comprises Aadhaar and passport details, along with names, phone numbers and temporary and permanent addresses of millions of Indians. The hacker also claims that this data comes from the information ICMR collected during COVID-19 testing. Data breaches in medical data can lead to significant harm to individuals. This can include identity theft, medical identity theft (fraudulently obtaining medical services in someone else’s name), and exposure of sensitive medical conditions. The consequences of such breaches can extend beyond financial loss and may impact an individual’s physical and mental health. Healthcare organizations must implement robust security measures to protect medical data, including encryption, access controls, and regular security audits. Employee training and awareness programs are also crucial, as many data breaches occur due to human error or insider threats. In the event of a data breach, healthcare providers and organizations should promptly notify affected individuals, regulatory authorities, and the media when required. An effective response plan should be in place to mitigate the impact of the breach, such as providing credit monitoring services to affected patients.
Beyond legal and regulatory requirements, there are ethical considerations related to handling sensitive medical data. Patients trust healthcare providers with their most personal information, and organizations have a responsibility to safeguard this trust.
The initial discovery of the data breach was made by Resecurity, an American agency specialising in cyber security and intelligence. On October 9, ‘pwn0001’ disclosed details about the breach on Breach Forums, advertising the availability of 815 million records, including “Indian Citizen Aadhaar & Passport” data. For context, India’s total population is a little over 1.486 billion people. Resecurity in a blogpost wrote, “On 9 October, a threat actor going by the name ‘pwn0001’ posted a thread on Breach Forums brokering access to 815 million “Indian Citizen Aadhaar & Passport” records.” Notably, India’s entire population is over 1.486 billion people.”
The company also added that its HUNTER (HUMINT) unit investigators who established contact with the threat actor, learned that they were willing to sell entire Aadhaar and Indian passport database for $80,000.
As per media reports, Central Bureau of Investigation (CBI) is currently investigating the breach that was discovered by hacker “pwn0001.”
Another report by News18 states that the compromised data might be from the Indian Council of Medical Research (ICMR) database.
A hacker on X has also informed, “India Biggest Data Breach Unknown hackers have leaked the personal data of over 800 million Indians Of COVID 19. The leaked data includes: Name, Father’s name, Phone number, Other number, Passport number, Aadhaar number, Age”
The Resecurity researchers have discovered that among the leaked data, there were 100,000 files with personal details of Indian citizens. To check their accuracy, some of these records were confirmed using a government portal’s “Verify Aadhaar” feature, which authenticated the Aadhaar information.
The Computer Emergency Response Team of India (CERT-In) has also alerted ICMR about the breach, according to a report by News18. The COVID-19 test information is scattered across various government bodies like the National Informatics Centre (NIC), ICMR, and the Ministry of Health, making it challenging to identify where the breach originated. So far, there is no response to the leak from the Ministry of Information and Technology or other concerned agencies online.
This isn’t the first time that a large medical institute in India has faced a breach. Earlier this year, cybercriminals hacked into AIIMS’ servers and took charge of more than 1TB of data at the institute, asking for a hefty ransom. This forced the hospital to switch to manual record keeping for 15 days, slowing down all the processes in an already-overcrowded institute. A few months before that in December 2022, AIIMS Delhi’s data was hacked by the Chinese, and had demanded Rs 200 crore in crypto currency.
Regular monitoring and auditing of data systems is crucial to identify vulnerabilities and prevent breaches. Security measures should be continuously updated to address new threats. Data breaches involving sensitive medical data are particularly concerning due to the potential for harm to individuals’ privacy, health, and well-being. Organizations and healthcare providers must take these matters seriously and invest in robust security measures to protect this sensitive information. In case of a breach, a swift and well-organized response is critical to minimize harm and rebuild trust.