A look at the data breaches that rocked India in 2021 on World Password Day
With COVID-19, came digitization. With digitization, came contactless services, work from home and, an unforeseen boost in online services. Millions of users started registering for ecommerce, fintech, grocery delivery, healthtech, and more, adding to the burgeoning databases of businesses and organizations.
And with all this, came cybersecurity threats. One after the other, organizations are facing malicious hacks, even as they scramble to contain the damage done.
In November, last year, even as India´s fintech and healthtech struggled with breaches, cybersecurity firm Kaspersky predicted an increase in Indian cyberattack incidents in 2021. Now, here we are in 2021. Has that prediction come true?
It´s only May and the media has already been abuzz with several cybersecurity hacks. There has been an 845% spike in cyberattacks on mobile devices alone between October 2020 and March 2021, according to Check Point Software Technologies’ Mobile Security Report 2021.
Today, even as the world celebrates World Password Day, let´s look at the worst data breaches so far that have been riling up India´s businesses and organizations.
In January, 35 million user accounts were impacted when information that including masked card data and card fingerprints were hacked from a Juspay server using an unrecycled access key. The breach actually occurred in August 2020, however the event came to light only when independent cybersecurity researcher Rajshekhar Rajaharia found the data for sale on the dark web for around US$5000.
A payments startup, Juspay partners with the likes of Amazon, Swiggy, MakeMyTrip, Yatra, Freecharge, BookMyShow, Snapdeal, amongst others, processing about 650k transactions every day.
The seller made use of the Telegram messaging app to negotiate prices, which is apparently popular with hackers because of its ability to set self-destruct timers on messages and media
The seller made use of the Telegram messaging app to negotiate prices, which is apparently popular with hackers because of its ability to set self-destruct timers on messages and media.
“The hacker started at US$8000 as the asking price for the data, then stepped down to US$6000. He ultimately settled for US$5000 for the Juspay data dump,” CSO Online reported Rajaharia.
COVID-19 test results
January saw another data breach when COVID-19 lab test results of at least 1500 Indian citizens were leaked online from government websites
A twist that seems worrisome is that the leaked data has not been seen for sale in dark web forums. Instead, the information is publicly accessible because of Google indexing COVID-19 lab test reports.
The reports were hosted on the same CMS system that is generally used by government entities when posting publicly accessible documents
The breached information had full names of patients, dates of birth, testing dates, and the names of the centres where the tests were held. Moreover, experts say that the reports were hosted on the same CMS system that is generally used by government entities when posting publicly accessible documents.
The leaked information that appeared on Google were hosted on websites belonging to government agencies that typically use *.gov.in and *.nic.in domains. In fact, the agencies involved were found to be located in New Delhi.
Police Exam Database
Information regarding 500,000 candidates for police exam went up for sale in February. Threat intelligence firm CloudSEK was able to track the data back to a police exam that had been held on 22 December 2019.
The seller revealed a sample of the data dump that contained the information of 10,000 exam candidates with CloudSEK. The information included full names, mobile numbers, email IDs, dates of birth, FIR records, and criminal history of the exam candidates, most belonging to candidates from Bihar.
There was another incident of data belonging to army or police workforce being breached, when hackers posted information of army personnel in Jammu and Kashmir on a public website.
In March, information belonging to 9.9 crore Mobikwik users was leaked online, though the fintech company continues to deny that any breach occurred. It was again Rajaharia who found the leak and accordingly informed the Reserve Bank of India, Indian computer emergency response team, PCI Standards, and payment technology firms, etc.
We have written to @IndianCERT asking them to initiate an inquiry over the Mobikwik data breach under Sec. 70B(6) of the IT Act. We lay out 5 steps MobiKwik must take to alleviate the situation. Pls read and RT for public knowledge.
— Internet Freedom Foundation (IFF) (@internetfreedom) March 31, 2021
The breach in a fintech always is serious, and this one has compromised mobile phone number, bank account details, email, and even credit card numbers of 9.9 crore Mobikwik users. French security researcher Elliot Alderson posted screenshots of the breach on Twitter calling it the “largest KYC data leak in the history”.
In April Domino’s India faced a major data leak when credit card details of almost 10 lakh of its customers and employees were leaked on the Dark Web. The leaked information included names, phone numbers, and payment information, including credit cards, not to mention pizza preferences.
— anshuman singh (@orion_anshuman) April 19, 2021
Alon Gal, CTO of security firm Hudson Rock discovered the leak when he found someone asking for 10 bitcoin, worth approx US$535,000 or INR4 crore, for 13TB of data that included one million credit card records and details of 180 million Dominos India pizza orders.
Moneycontrol, the news site was next with personal data of more than seven lakh users leaked. The data was available on the dark web, for sale at US$350. Independent cybersecurity researcher Sourajeet Majumder says the data contained usernames, passwords, phone numbers, email addresses, and their city and state of residence.
THIS IS HUGE !! An user of a hacking forum along with his partner are selling personal data of 700K+ users for just $350 which they have allegedly stolen from @moneycontrolcom's server 6-7 months back.
1/9@IndianCERT @NCIIPC @sanjg2k1 @internetfreedom #databreach #privacy pic.twitter.com/eiKOlCXQwj
— Sourajeet Majumder (@TechCrucio) April 8, 2021
What chills the heart is that the leaked passwords are visible in plain text, so that it was easy to verify the authenticity of the 40 account data sample.
The hacker who has posted the dump revealed that the database held 7,73,000 records with personal user data. They also claimed that the breach had occurred six to seven months back.
Another April breach event involved Upstox, one of India´s largest discount broking firms. The firm witnessed a security breach that resulted in the exposure of its customer KYC information. While the firm did not stipulate how much of their user data was exposed, media reports seem to indicate a breach of the size of at least 25 lakh customers.
On April 11, Upstox informed its customers about resetting their passwords. They also took other precautions after they received information via emails that warned about an impending breach in their contact data and KYC details stored in a third-party data warehouse.
After apologizing to its customers for the inconvenience, the firm reassured them about enhancing security and strengthening its bug bounty program.
Facebook users were exposed through a data breach when the personal data of more than 533 million users was posted in a low-level hacking forum. The leaked information included phone numbers, full names, locations, email addresses, and biographical information of users from 106 countries, India very much among them.
Experts say hackers could impersonate people and commit fraud with the help of this data.
This will lead to the same data breach issue that plagued facebook. I left facebook a long time ago and I wont think twice if @Twitter pushes through with this. I am holding back all plans now. https://t.co/fgdb3bGBqn
— Greefenery (@greefenery) May 7, 2021
Again, it was Alon Gal who first reported that someone was using a Telegram bot to sell phone numbers for free. The bot used a vulnerability in a Facebook feature that allowed access to phone numbers linked to every account for free.
Analysis has revealed that among the metros, Delhi was the worst hit, with over 155,000 accounts compromised. 1,36,000 people from Mumbai, over 96,000 from Kolkata, and more than 39,000 from Chennai also fell victim to the breach.
Is There More to Come?
These incidents reveal that our organizations and government agencies must pull up their socks when it comes to cybersecurity. Most probably, such incidents are only going to increase, and we have to find ways of staying ahead of cyber miscreants.
Not just India, according to the World Economic Forum’s The Global Risks Report 2021, cybersecurity failure is one of the greatest threats facing humanity over the next decade.
Not just organizations, but individuals must also be vigilant when online. For example, according to Varutra Consulting, security researchers found a new phishing campaign that sent a Microsoft PowerPoint document as an email attachment to distribute the new #FormBook malware version.
So, beware and happy World Password Day.