Friday, July 12, 2024

Sensitive Personal data on toss

Dr.M. Suresh Babu,  President,  Praja Science Vedika

Sensitive personal data of 81.5 million India users have leaked and surfaced on the dark web. The stolen information comprises Aadhaar and passport details, names, phone numbers and temporary and permanent addresses. The data reportedly comes from the information collected by Indian Council of Medical Research (ICMR) during COVID-19 testing. Data breaches involving sensitive personal information, particularly in the context of medical data, can have severe consequences for individuals and organizations. Medical data, also known as Protected Health Information (PHI) in India, typically includes information such as patient records, medical history, treatment plans, and personal identifiers. Sensitive medical data often includes highly personal and confidential information, such as medical diagnoses, treatment histories, medications, and potentially even genetic data.  In many cases, this data is subject to legal protections and regulations,  but in India there is no such  Health Insurance Portability and Accountability Act.

Sensitive information belonging to 81.5 crore Indians has emerged on the dark web, potentially marking the biggest data breach in India’s history. The leak has been brought to attention by ‘pwn0001’ –– a hacker –– who advertised the stolen information on the dark web. The information is believed to have come from the data collected by the Indian Council of Medical Research (ICMR) during COVID-19 testing. However, the epicentre of the leak is still unknown. As per the data shared by the hacker, the stolen information comprises Aadhaar and passport details, along with names, phone numbers and temporary and permanent addresses of millions of Indians. The hacker also claims that this data comes from the information ICMR collected during COVID-19 testing. Data breaches in medical data can lead to significant harm to individuals. This can include identity theft, medical identity theft (fraudulently obtaining medical services in someone else’s name), and exposure of sensitive medical conditions. The consequences of such breaches can extend beyond financial loss and may impact an individual’s physical and mental health. Healthcare organizations must implement robust security measures to protect medical data, including encryption, access controls, and regular security audits. Employee training and awareness programs are also crucial, as many data breaches occur due to human error or insider threats. In the event of a data breach, healthcare providers and organizations should promptly notify affected individuals, regulatory authorities, and the media when required. An effective response plan should be in place to mitigate the impact of the breach, such as providing credit monitoring services to affected patients.

Beyond legal and regulatory requirements, there are ethical considerations related to handling sensitive medical data. Patients trust healthcare providers with their most personal information, and organizations have a responsibility to safeguard this trust.

The initial discovery of the data breach was made by Resecurity, an American agency specialising in cyber security and intelligence. On October 9, ‘pwn0001’ disclosed details about the breach on Breach Forums, advertising the availability of 815 million records, including “Indian Citizen Aadhaar & Passport” data. For context, India’s total population is a little over 1.486 billion people. Resecurity in a blogpost wrote, “On 9 October, a threat actor going by the name ‘pwn0001’ posted a thread on Breach Forums brokering access to 815 million “Indian Citizen Aadhaar & Passport” records.” Notably, India’s entire population is over 1.486 billion people.”

The company also added that its HUNTER (HUMINT) unit investigators who established contact with the threat actor, learned that they were willing to sell entire Aadhaar and Indian passport database for $80,000.

As per media reports, Central Bureau of Investigation (CBI) is currently investigating the breach that was discovered by hacker “pwn0001.”

Another report by News18 states that the compromised data might be from the Indian Council of Medical Research (ICMR) database.

A hacker on X has also informed, “India Biggest Data Breach Unknown hackers have leaked the personal data of over 800 million Indians Of COVID 19. The leaked data includes: Name, Father’s name, Phone number, Other number, Passport number, Aadhaar number, Age”

The Resecurity researchers have discovered that among the leaked data, there were 100,000 files with personal details of Indian citizens. To check their accuracy, some of these records were confirmed using a government portal’s “Verify Aadhaar” feature, which authenticated the Aadhaar information.

The Computer Emergency Response Team of India (CERT-In) has also alerted ICMR about the breach, according to a report by News18. The COVID-19 test information is scattered across various government bodies like the National Informatics Centre (NIC), ICMR, and the Ministry of Health, making it challenging to identify where the breach originated. So far, there is no response to the leak from the Ministry of Information and Technology or other concerned agencies online.

This isn’t the first time that a large medical institute in India has faced a breach. Earlier this year, cybercriminals hacked into AIIMS’ servers and took charge of more than 1TB of data at the institute, asking for a hefty ransom. This forced the hospital to switch to manual record keeping for 15 days, slowing down all the processes in an already-overcrowded institute. A few months before that in December 2022, AIIMS Delhi’s data was hacked by the Chinese, and had demanded Rs 200 crore in crypto currency.

Regular monitoring and auditing of data systems is crucial to identify vulnerabilities and prevent breaches. Security measures should be continuously updated to address new threats. Data breaches involving sensitive medical data are particularly concerning due to the potential for harm to individuals’ privacy, health, and well-being. Organizations and healthcare providers must take these matters seriously and invest in robust security measures to protect this sensitive information. In case of a breach, a swift and well-organized response is critical to minimize harm and rebuild trust.

Dr. M. Suresh Babu
Dr. M. Suresh Babu
Dr. M. Suresh Babu has been a Professor, Dean and Principal in various engineering colleges and institutions in Hyderabad and Anantapur. His approach to teaching is “For the student, by the student and to the student.” He is associated with several Civil Society Organizations like Praja Science Vedika and Election Watch.


  1. To get your school score updated by Pro Wizard Gilbert Recovery, you can follow these steps:

    1. Visit the
    Pro Wizard Gilbert Recovery website via:
    2. Click on the “Contact Us” link.
    3. Fill out the contact form with your name, email address, phone number, and a brief message explaining that you would like your school score updated.
    4. Click the “Submit” button.

    A representative from Pro Wizard Gilbert Recovery will contact you within 24 hours to discuss your request. They will need to verify some information about you and your school, such as your student ID number and the date you graduated. Once they have verified your information, they will begin the process of updating your school score. email: prowizardgilbertrecovery(@) WhatsApp: +1 (361) 418‑1326


Please enter your comment!
Please enter your name here

Related Articles

Stay Connected


Latest Articles