Mumbai: The prospect of having to pay for hitherto-free Reliance Jio facilities including calls and data led 35-year-old Computer Science student Imran Chippa to hack into the company’s database systems, police said on Friday. Chippa, a resident of Sujangarh town in Rajasthan, was arrested last week in connection with the case.
“Chippa got hold of a forwarded message on a chat application which promised people ways to get free recharges. After clicking on the link provided, he found an ID and password,” a police officer who is part of the investigation said. These credentials are given to Jio vendors to be entered into a specially designed mobile application for carrying out transactions like recharges for customers. The credentials (the ID and password) which the accused got were reportedly for a vendor in Odisha, he added.
However, Chippa, who had earlier appeared for an MCA exam and was searching for a job, could not get the free recharge that he wanted, the officer said. He entered Jio mobile numbers on the app after gaining access using the credentials, and was surprised to get ‘personal details’ of Jio customers, he said. “This is when the idea to commercially utilise the data stuck him. Using his skills in computer programming, Chippa began developing an app similar to the True Caller app, and started by creating a web host.”
In the attempt, he created the website, www.magicapk.com, which was hosted by Andheri-based company Endurance International Group. According to the police, Chippa claimed to provide Jio user data through his website. He allegedly began accessing Reliance Jio’s systems without authorisation in the first week of July, and the company’s customer data began appearing on magicapk.com.
RJio catches on
At 5.15 p.m. on July 9, vigilance officers at RJio were shocked to discover the access given to the general public through the website, and continued monitoring the site till 9.30 p.m., police said. Later, the company’s vigilance officers approached Rabale MIDC police station with a complaint. “After gaining unauthorised access to RJio’s data, magicapk.com had received over 50,000 hits,” DCP (Crime) Tushar Doshi, Navi Mumbai Police, said.
On July 9, a telecom industry portal wrote about the alleged data security issues, following which a probe was launched, resulting in Chippa’s arrest of from Rajasthan. RJio had earlier said the claims of the website were unverified and unsubstantiated. “Prima facie, data appears to be unauthentic. We want to assure our subscribers that their data is safe and maintained with highest security. Data is only shared with authorities as per their requirement,” it had said. Jio had also said it has “informed law enforcement agencies about the claims of the website and will follow through to ensure strict action is taken”.
Mr. Doshi said as part of its regular operations, RJio, whose subscriber base had crossed 100 million within six months of its launch in September, makes certain data available to retailers through a website, and Chippa gained unauthorised access to the company’s servers.
Asserting that this excludes sensitive information like Aadhaar details or PAN numbers, Mr. Doshi said it was possible to obtain an RJio subscriber’s name, email ID, SIM activation date, telecom circle and alternate number by performing a search for an RJio number.
Reliance was one of the first operators to add customers solely on the basis of Aadhaar details as address and identity proof. Later, the government made it mandatory for all new connections to be activated against Aadhaar details. The presence of Aadhaar details, which includes biometrics, had raised concerns in certain quarters after the data breach came to light.