October 31, 2023 06:00 am

The Central Government is yet to respond to reports about the American cyber security and intelligence agency Resecurity’s alert on the alleged data leak of over 81 crore Indians Aadhaar and passport information along with names, phone numbers and addresses with the Indian Council of Medical Research (ICMR).

ICMR has faced multiple cyber-attack attempts since February, and the latest alleged breach also involves a ‘threat actor’ with a handle on X advertising the database for sale on the dark web, claiming that this COVID-19 test details of citizens have been sourced from ICMR.

While Resecurity did not speculate on how the Aadhaar numbers, addresses and other such personal information found their way into the dark web in such numbers, this is not the first time a breach has surfaced on large databases with Indians’ information. In June, a Telegram chat allowed people to fetch any entries from the CoWIN vaccination portal’s database, potentially allowing the Aadhaar or passport numbers of vaccinated beneficiaries to leak.

It is not clear if that breach, for which a man and a minor in Bihar were detained, is related to this one. The law is not yet set on data breaches of this kind, as the Digital Personal Data Protection Act, 2023, has not yet been notified, even though it passed Parliament and received the President’s assent in August.

There are reports about ICMR being alerted about the breach, while the epicentre of leakage has not been identified. “A threat actor going by the alias ‘pwn0001’ posted a thread on Breach Forums on October 9, brokering access to Indian Citizen Aadhaar & Passport records,” notes reports.

