Data breaches in India: Difference between revisions

'''Data breach incidences in India''' were the second highest globally in 2018, according to a report by digital security firm [[Gemalto]].<ref>{{Cite news|date=2019-04-18|title=JustDial data leak exposed personal details of 100 million users: IT expert|work=Business Standard India|url=https://www.business-standard.com/article/technology/justdial-data-leak-exposed-personal-details-of-100-million-users-it-expert-119041800271_1.html#:~:text=Justdial,%20a%20company%20that%20provides,cyber-security%20researcher%20Rajshekhar%20Rajaharia.|access-date=2020-12-04}}</ref><ref>{{Cite web|date=October 15, 2018|title=Data breach in India second highest after US in H1,2018: Gemalto - Times of India|url=https://timesofindia.indiatimes.com/business/india-business/data-breach-in-india-second-highest-after-us-in-h12018-gemalto/articleshow/66227056.cms|access-date=2020-12-07|website=The Times of India|language=en}}</ref> With over 690 million internet subscribers<ref>{{Cite web|title=Total internet users in India|url=https://www.statista.com/statistics/255146/number-of-internet-users-in-india/|access-date=2020-12-09|website=Statista|language=en}}</ref> and growing, India has increasingly seen a rise in data breaches both in the private and public sector.<ref>{{Cite web|title=India sees 37% increase in data breaches, cyber attacks this year|url=https://www.theweek.in/news/biz-tech/2020/11/17/india-sees-37-increase-in-data-breaches-cyber-attacks-this-year.html|access-date=2020-12-09|website=The Week|language=en}}</ref><ref>{{Cite web|title=India saw a 37% increase in cyberattacks in the first three months of 2020|url=https://www.businessinsider.in/tech/news/india-saw-a-37-increase-in-cyberattacks-in-the-first-three-months-of-2020/articleshow/75914735.cms|access-date=2020-12-09|website=Business Insider}}</ref> This is a list of some of the biggest data breaches in the country.

In October 2016, it was reported<ref>{{Cite web|last=Gopakumar|first=Gopika|date=2017-02-09|title=Malware caused India's biggest debit card data breach: Audit report|url=https://www.livemint.com/Industry/jVF2Aw72w0DcBsUGseV0UP/Malware-caused-Indias-biggest-debit-card-fraud-Audit-repor.html|access-date=2020-12-08|website=mint|language=en}}</ref><ref name=":1">{{Cite news|last1=Shukla|first1=Saloni|last2=Bhakta|first2=Pratik|title=3.2 million debit cards compromised; SBI, HDFC Bank, ICICI, YES Bank and Axis worst hit|work=The Economic Times|url=https://economictimes.indiatimes.com/industry/banking/finance/banking/3-2-million-debit-cards-compromised-sbi-hdfc-bank-icici-yes-bank-and-axis-worst-hit/articleshow/54945561.cms?from=mdr|access-date=2020-12-08}}</ref> that as many as 3.2 million [[debit card]]s from major Indian banks were compromised due to a [[malware]] injection in the [[Hitachi]] Payment Services system. Hitachi provides ATM and [[Point of sale]] services in India and the malware enabled hackers to extract money from user accounts. The [[National Payments Corporation of India|NPCI]] (National Payments Corporation of India) reported losses of nearly 13 million INR ($195,000 USD in 2016) in fraudulent transactions.<ref name=":1" /><ref>{{Cite news|date=2016-10-21|title=Millions of Indian debit cards 'compromised' in security breach|language=en-GB|work=BBC News|url=https://www.bbc.com/news/world-asia-india-37725187|access-date=2020-12-08}}</ref> The worst hit banks included the State Bank of India ([[State Bank of India|SBI]]), [[ICICI]], [[HDFC Bank|HDFC]], [[YES Bank]] and [[Axis Bank]] among others. The breach went undetected for 6 weeks and banks were alerted only after several international banks reported fraudulent use of cards in [[China]] and the [[United States]] while the customers were in [[India]]. SBI blocked and reissued 600,000 debit cards and was reported to be one of the biggest card replacements in Indian banking.<ref>{{Cite web|date=2016-10-21|title=Multiple banks hit: 3.2 million debit cards compromised; how it happened, what happens now?|url=https://indianexpress.com/article/explained/multiple-banks-hit-3-2-million-debit-cards-compromised-how-it-happened-what-happens-now-3094108/|access-date=2020-12-08|website=The Indian Express|language=en}}</ref>

In early 2018, Indian government's identification database [[Aadhaar]] (similar to [[Social Security number|SSN]]) was reported to be leaking information on every registered Indian citizens<ref name="Whittaker">{{Cite web|last=Whittaker|first=Zack|title=A new data leak hits Aadhaar, India's national ID database|url=https://www.zdnet.com/article/another-data-leak-hits-india-aadhaar-biometric-database/|access-date=2020-12-08|website=ZDNet|language=en}}</ref> including names, bank details and other private information like [[biometric]] data.<ref>{{Cite news|last=Doshi|first=Vidhi|date=4 January 2018|title=A security breach in India has left a billion people at risk of identity theft|url=https://www.washingtonpost.com/news/worldviews/wp/2018/01/04/a-security-breach-in-india-has-left-a-billion-people-at-risk-of-identity-theft/|url-status=live|archive-url=https://web.archive.org/web/20180105162153/https://www.washingtonpost.com/news/worldviews/wp/2018/01/04/a-security-breach-in-india-has-left-a-billion-people-at-risk-of-identity-theft/ |archive-date=5 January 2018 |access-date=|newspaper=The Washington Post}}</ref> Managed by [[Unique Identification Authority of India]] (UIDAI), Aadhar is a unique identification number obtained by over 1.1 billion<ref>{{Cite web|title=1 bn records compromised in Aadhaar breach since January: Gemalto|url=https://www.thehindubusinessline.com/news/1-bn-records-compromised-in-aadhaar-breach-since-january-gemalto/article25224758.ece|access-date=2020-12-08|website=@businessline|date=15 October 2018 |language=en}}</ref><ref name="social.techcrunch.com">{{Cite web|title=Indian state government leaks thousands of Aadhaar numbers|url=https://social.techcrunch.com/2019/01/31/aadhaar-data-leak/|access-date=2020-12-08|website=TechCrunch|language=en-US}}</ref> residents or passport holders of India based on their biometric and [[Demography|demographic]] data. The data leak was first revealed after anonymous sellers over [[WhatsApp]] provided unrestricted access to the Aadhar database for nominal costs.<ref>{{Cite web|title=India's national ID database is reportedly accessible for less than $10|url=https://social.techcrunch.com/2018/01/04/indias-national-id-database-is-reportedly-accessible-for-less-than-10/|access-date=2020-12-08|website=TechCrunch|language=en-US}}</ref><ref>{{Cite web|title=Rs 500, 10 minutes, and you have access to billion Aadhaar details|url=https://www.tribuneindia.com/news/archive/nation/rs-500-10-minutes-and-you-have-access-to-billion-aadhaar-details-523361|access-date=2020-12-08|website=Tribuneindia News Service|language=en}}</ref> [[The Tribune (Chandigarh)|The Tribune]], an Indian newspaper reported that over 100,000 ex-employees of the [[Ministry of Electronics and Information Technology]] continued to have free access to the UIDAI system and therefore, the Aadhar database. Another data leak was found in the following months wherein a state-owned utility company [[Indane (LPG)|Indane]]'s (LPG) unprotected system allowed anyone to access private information on all Aadhaar holders. The company had unlimited access to the Aadhar database to verify user accounts and an unprotected API endpoint through the company's system allowed unauthorized queries to the database for potentially all Aadhar holders.<ref name="Whittaker"/> Not just indirectly, Aadhar information of over 130 million citizens was breached through state government websites as over 200 government websites erroneously made the database public.<ref name="social.techcrunch.com"/><ref>{{Cite news|title=Aadhaar: World's largest ID database exposed by India government errors|work=The Economic Times|url=https://economictimes.indiatimes.com/news/economy/policy/worlds-largest-id-database-exposed-by-india-government-errors/articleshow/64169884.cms?from=mdr|access-date=2020-12-08}}</ref><ref>{{Cite web|date=2017-05-03|title=130 mn Aadhaar numbers were not leaked, they were treated as publicly shareable data: CIS|url=https://www.firstpost.com/tech/news-analysis/130-mn-aadhaar-numbers-were-not-leaked-they-were-treated-as-publicly-shareable-data-cis-3702187.html|access-date=2020-12-08|website=Tech2}}</ref> The UIDAI has unequivocally denied any data breach in the Aadhar database<ref>{{Cite web|url=https://twitter.com/uidai/status/977549782796259331|access-date=2020-12-09|website=Twitter|language=en}}</ref><ref>{{Cite web|last=Whittaker|first=Zack|title=A new data leak hits Aadhaar, India's national ID database|url=https://www.zdnet.com/article/another-data-leak-hits-india-aadhaar-biometric-database/|access-date=2020-12-09|website=ZDNet|language=en}}</ref> even though many of the unsecure endpoints and government websites with unauthorized data access were put offline after the reports. UIDAI also filed a case against The Tribune under Sections 419, 420, 468 and 471 of the [[Indian Penal Code]] (IPC) alleging false reporting.<ref>{{Cite web|date=January 7, 2018|title=UIDAI files FIR against The Tribune reporter over story on Aadhaar data breach|url=https://www.indiatoday.in/india/story/aadhaar-data-breach-fir-tribune-story-data-uidai-1124160-2018-01-07|access-date=2020-12-09|website=India Today|language=en}}</ref> The [[World Economic Forum|WEF]] [[Global Risks Report|Global Risk Report]] deemed the Aadhar breach as the largest data breach in the world.<ref>{{Cite web|title=Aadhaar Data Breach Largest in the World, Says WEF's Global Risk Report and Avast|url=https://www.moneylife.in/article/aadhaar-data-breach-largest-in-the-world-says-wefs-global-risk-report-and-avast/56384.html|access-date=2020-12-08|website=Moneylife NEWS & VIEWS}}</ref>

In January 2019, [[State Bank of India|SBI]] exposed customer data, including mobile numbers, partial account numbers, balances and transaction details from an unprotected server in its [[Mumbai]] data center.<ref name=":0">{{Cite web|title=SBI data leak: What happened? What can you do? All you need to know|url=https://www.businesstoday.in/technology/sbi-data-leak-what-happened-sbi-data-breach-financial-data/story/316071.html|access-date=2020-12-07|website=www.businesstoday.in|date=February 2019 }}</ref><ref name="ReferenceA">{{Cite web|title=India's largest bank SBI leaked account data on millions of customers|url=https://social.techcrunch.com/2019/01/30/state-bank-india-data-leak/|access-date=2020-12-07|website=TechCrunch|language=en-US}}</ref> The server hosted SBI's "[https://www.onlinesbi.com/sbf_quick.html SBI Quick]" service, a text and call based system to provide inquiring customers with updates on account balances, recent transactions and credit information.<ref name=":0" /> The server was not password protected and allowed the retrieval of customer-specific messages through the back-end text messaging system.<ref name="ReferenceA"/> The outgoing messages from the system were available in real time, along with over two months of daily archives, exposing financial details of millions of customers. Though SBI resolved the issue after the initial investigation by [[TechCrunch]],<ref>{{Cite web|first=Prasad|last=Ramesh|date=2019-01-31|title=SBI data leak in India results in information of millions of customers exposed online|url=https://securityboulevard.com/2019/01/sbi-data-leak-in-india-results-in-information-of-millions-of-customers-exposed-online/|access-date=2020-12-07|website=Security Boulevard|language=en-US}}</ref> the bank dismissed the reports, saying customer data and financial records remained secure.<ref>{{Cite news|last=Das|first=Saikat|title=State Bank of India: SBI denies data leak charges, but customers be on alert|work=The Economic Times|url=https://economictimes.indiatimes.com/industry/banking/finance/banking/sbi-denies-data-leak-charges-but-customers-be-on-alert/articleshow/67779161.cms?from=mdr|access-date=2020-12-07}}</ref>

In April 2019, the [[Mumbai]]-based local search engine [[Justdial]] was hit by a data breach that leaked details, including names, mobile numbers, email ids, occupations and addresses of nearly 10 crore (100 million) users.<ref>{{Cite web|date=2019-04-18|title=Justdial suffers massive data breach! Over 10 cr users' details exposed; company denies reports|url=https://news.abplive.com/news/gadgets/justdial-suffers-massive-data-breach-over-10-cr-users-details-exposed-company-denies-reports-968341|access-date=2020-12-04|website=news.abplive.com|language=en}}</ref><ref>{{Cite web|title=Data of 10 crore Justdial users exposed since 2015: Researcher|url=https://inshorts.com/en/news/data-of-10-crore-justdial-users-exposed-since-2015-researcher-1555422518238|access-date=2020-12-04|website=Inshorts - Stay Informed|language=en}}</ref><ref>{{Cite web|date=April 18, 2019|first=Shweta|last=Ganjoo|title=JustDial data breach: Personal data of over 100 million users exposed online|url=https://www.indiatoday.in/technology/news/story/justdial-data-breach-personal-data-of-over-100-million-users-exposed-online-1504929-2019-04-18|access-date=2020-12-05|website=India Today|language=en}}</ref> Multiple sources suggested that the leak was due to an unprotected API endpoint<ref>{{Cite web|title=Over 100 Million JustDial Users' Personal Data Found Exposed On the Internet|url=https://thehackernews.com/2019/04/justdial-hacked-data-breach.html|access-date=2020-12-04|website=The Hacker News|language=en}}</ref><ref>{{Cite news|date=2019-04-18|title=JustDial data leak exposed personal details of 100 million users: IT expert|work=Business Standard India|url=https://www.business-standard.com/article/technology/justdial-data-leak-exposed-personal-details-of-100-million-users-it-expert-119041800271_1.html#:~:text=Justdial,%20a%20company%20that%20provides,cyber-security%20researcher%20Rajshekhar%20Rajaharia|access-date=2020-12-04}}</ref> accessible since mid-2015 on the company's old website and app. While Justdial admitted to vulnerability of certain user details on the old version of the app, the company largely refuted the reports, suggesting that user and financial information was protected by the search platform through an OTP authentication system.<ref>{{Cite web|date=2019-04-18|title=Justdial suffers massive data breach! Over 10 cr users' details exposed; company denies reports|url=https://news.abplive.com/news/gadgets/justdial-suffers-massive-data-breach-over-10-cr-users-details-exposed-company-denies-reports-968341|access-date=2020-12-05|website=news.abplive.com|language=en}}</ref>

In September 2019, the [[Nuclear Power Corporation of India]] (NPCI) confirmed that India's largest nuclear plant, the [[Kudankulam Nuclear Power Plant|Kudankulam nuclear power plant]] was attacked by a malware that collected information on the plant's [[Information technology|IT]] network.<ref name=":4">{{Cite web|first1=Kartik|last1=Palani|first2=Prashant|last2=Anantharaman|title=What happened when the Kudankulam nuclear plant was hacked – and what real danger did it pose?|url=https://scroll.in/article/943954/what-happened-when-the-kudankulam-nuclear-plant-was-hacked-and-what-real-danger-did-it-pose|access-date=2020-12-09|website=Scroll.in|date=20 November 2019 |language=en-US}}</ref><ref name=":5">{{Cite web|last=Porup|first=J. M.|date=2019-12-09|title=How a nuclear plant got hacked|url=https://www.csoonline.com/article/3488816/how-a-nuclear-plant-got-hacked.html|access-date=2020-12-09|website=CSO Online|language=en}}</ref> The breach was detected after a data file with traces of the Dtrack malware was uploaded on a cyber security firm’s website.<ref>{{Cite news|last=Das|first=Debak|title=Analysis {{!}} An Indian nuclear power plant suffered a cyberattack. Here's what you need to know.|language=en-US|newspaper=Washington Post|url=https://www.washingtonpost.com/politics/2019/11/04/an-indian-nuclear-power-plant-suffered-cyberattack-heres-what-you-need-know/|access-date=2020-12-09|issn=0190-8286}}</ref> [[Indian Computer Emergency Response Team|CERT-India]] detected the malware in an infected PC connected to the administrative network. The NPCI claimed that the malware '''did not''' have access to the OT network responsible for internal, critical plant systems.<ref>{{Cite web|date=2019-10-29|title=Cyber attack at Kudankulam; critical system safe|url=https://www.hindustantimes.com/india-news/cyber-attack-on-kudankulam-plant-network-not-possible/story-4b5QiRVGuTtTi4MlOexadL.html|access-date=2020-12-09|website=Hindustan Times|language=en}}</ref> Tailored specifically for the plant, the attackers earlier broke into the plant's IT networks and stole admin credentials and used them to gain more information about the plant's networks through the malware. Multiple reports suggested that the malware was solely deployed to collect information,<ref name=":4" /><ref name=":5" /> including internet search history from the browser installed on the infected PC, local operating system registry information such as registered owner, registered organization and current user and the list of active processes on the PC. The information was written into temporary files extracted from a remote server by the attacker. The Dtrack malware has been traced back to the [[North Korea]]-linked<ref>{{Cite web|title=Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups {{!}} U.S. Department of the Treasury|url=https://home.treasury.gov/news/press-releases/sm774|access-date=2020-12-09|website=home.treasury.gov}}</ref> [[Lazarus Group]].

In November 2020, the [[Bangalore]]-based online grocer [[BigBasket]] suffered a data breach that leaked the details of their over 2 crore (20 million) users, including email IDs, password hashes, PINs, phone numbers, addresses, dates of birth, locations and IP addresses.<ref name=":2">{{Cite web|date=2020-11-12|title=Explained: How big is the Bigbasket data breach?|url=https://indianexpress.com/article/explained/explained-how-big-is-the-bigbasket-data-breach-7026688/|access-date=2020-12-09|website=The Indian Express|language=en}}</ref> The data breach was noticed after the data was put on sale on the [[dark web]] for almost ₹30 lakh INR ($40000 USD in 2020).<ref name=":2" /> The cause of the breach was an unsecure [[SQL]] file, potentially hacked into using an [[SQL injection]], that contained over 15 GBs of user data.<ref>{{Cite web|date=November 9, 2020|first=Balakumar|last=K.|title=Online grocery store BigBasket leaks out big data - possibly 20 million|url=https://www.techradar.com/news/data-breach-at-bigbasket-20-million-users-privacy-may-have-been-hit|access-date=2020-12-09|website=TechRadar|language=en}}</ref> Bigbasket has acknowledged the breach<ref>{{Cite web|orig-date=November 9, 2020|date=November 10, 2020|first=Ankita|last=Chakravarti |title=BigBasket confirms data breach of 2 crore BB users, here is what we know so far|url=https://www.indiatoday.in/technology/features/story/bigbasket-confirms-data-breach-of-2-crore-bb-users-here-is-what-we-know-so-far-1739342-2020-11-09|access-date=2020-12-09|website=India Today|language=en}}</ref> and filed a case with the Banglore Cyber Crime cell. The breach is currently under investigation.

In May 2020, the [[Bangalore]]-based online learning platform [[Unacademy]] found compromised email data of over 11 million users but no sensitive information such as financial data, location or passwords has been breached.<ref name=":3">{{Cite web|date=2020-05-07|title=Unacademy Suffers Data Breach; 22 Mn Users' Records for Sale|url=https://cisomag.eccouncil.org/unacademy-data-breach/|access-date=2020-12-09|website=CISO MAG {{!}} Cyber Security Magazine|language=en-US}}</ref><ref>{{Cite web|title=Unacademy hacked, data of 20 million users up for sale|url=https://www.theweek.in/news/sci-tech/2020/05/07/unacademy-hacked-data-of-20-mn-users-up-for-sale.html|access-date=2020-12-09|website=The Week|language=en}}</ref> The breach was revealed after the company's 20 million user accounts were being sold on the dark web for almost ₹1.5 lakh INR ($2,000 USD).<ref>{{Cite news|first=Samreen|last= Ahmad|title=Unacademy data hacked, names and passwords put on sale: Security firm|language=en|url=https://www.business-standard.com/article/companies/unacademy-s-database-hacked-information-of-11-million-users-compromised-120050701280_1.html|access-date=2020-12-09}}</ref><ref>{{Cite web|first=Natasha|last=Mathur|date=2020-05-07|title=Unacademy Data Breach: Data of Nearly 22 Million Users Sold On Dark Web|url=https://in.mashable.com/tech/13837/unacademy-data-breach-data-of-nearly-22-million-users-sold-on-dark-web|access-date=2020-12-09|website=Mashable India|language=en-in}}</ref> [https://cyble.io/ Cyble], a cybercrime monitoring company claimed that beyond user accounts, user data including IDs, passwords, date joined, last login date, email IDs, names and user credentials had also been breached.<ref name=":3" /><ref>{{Cite web|last=Ahaskar|first=Abhijit|date=2020-05-06|title=Millions of Unacademy user accounts exposed in data breach: Report|url=https://www.livemint.com/technology/tech-news/over-20-mn-unacademy-user-accounts-exposed-in-data-breach-report-11588775083410.html|access-date=2020-12-09|website=mint|language=en}}</ref> Unacademy is yet to verify whether the entire database was vulnerable to the breach

On 21 May 2021, it was reported that [[Air India]] was subjected to a cyberattack whereas the personal details of about 4.5 million customers around the world were compromised. The breach involved personal data registered between 26 August 2011 and 3 February 2021, with details that included name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data as well as credit card data<ref>{{Cite web|date=2021-05-22|title=Explained: What is the data breach that has hit Air India customers?|url=https://indianexpress.com/article/explained/air-india-sita-data-breach-explained-7325501/|access-date=2021-05-23|website=The Indian Express|language=en}}</ref><ref>{{Cite news|title=Air India cyberattack: Personal data of over 4.5 million passengers leaked|url=https://www.irishtimes.com/news/world/asia-pacific/air-india-cyberattack-personal-data-of-over-4-5-million-passengers-leaked-1.4572596|access-date=2021-05-23|newspaper=The Irish Times|language=en}}</ref>