Recently, the Ministry of Corporate Affairs fixed a critical vulnerability in its online portal months after a cybersecurity researcher reported it to the Computer Emergency Response Team of India (CERT-In). The vulnerability reportedly exposed personal details — like Aadhaar, PAN, voter identity, passport, date of birth, contact number, and communication address — of more than 98 lakh directors of Indian companies.
The vulnerability also exposed the personal data of top industrialists, celebrities, and sports personalities in the country.
What is Personally Identifiable Information (PII)?
PII is any data or information maintained by an organisation or agency that can potentially be used to identify a specific individual. This could include information such as Aadhaar, PAN, voter identity, passport, date of birth, contact number, communication address, and biometric information.
The constituents of PII vary depending on an individual’s home country. However, non-PII in tandem with additional information can be used to identify an individual. Non-PII information includes photographic images (especially of the face or other identifying characteristics), place of birth, religion, geographic indicators, employment information, educational qualifications, and medical records.
All this information can be used to identify individuals accurately. And while access to one set of PII may be enough to compromise online security, access to multiple databases can be used to identify and target individuals.
What is the difference between sensitive and non-sensitive PII?
Nonsensitive PII is publicly available information and can be stored and transmitted unencrypted. This includes information such as zip code, race, gender, and religion. They cannot be used to accurately identify an individual.
Sensitive PII, when exposed, can be used to identify individuals and potentially cause harm. Some of the most important components that constitute sensitive PII are stored by employers, government organisations, banks, and other digital accounts used by individuals.
(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)
What are the risks of PII exposure?
Cyberattacks and weaknesses in digital infrastructure can lead to the exposure of citizens’ PII.
Threat actors can gain access to exposed PII and misuse it to launch targeted attacks on individuals. These attacks could range from phishing attacks with messages curated with PII information, to fraudulently opening bank accounts, and siphoning funds from accounts allotted to beneficiaries of government welfare programmes. Threat actors may also use such information to obtain cellular connections, credit cards, and compromise the security of an individual’s digital accounts.
Threat actors are also known to sell exposed PII information on the dark web.
Has your PII been compromised?
In 2023, reports emerged that a bot on Telegram was returning the personal data of Indian citizens who registered with the COVID-19 vaccine intelligence network (CoWIN) portal for vaccination purposes. A similar data breach was reported when an American cybersecurity company said that the personally identifiable information of 815 million Indian citizens, including Aadhaar numbers and passport details, were being sold on the dark web. At the time, a cybersecurity company, Resecurity, said it contacted multiple victims who verified the validity of their data.
The government of India denied allegations of a biometric data leak, as well as a breach in the CoWIN portal. It did, however, launched an investigation into the allegations that led to the arrest of a man in Bihar, along with a juvenile in June 2023.
A data breach was also reported in the RailYatri platform in January 2023. Additionally, 67% of Indian government and essential services organisations experienced over a 50% increase in disruptive cyberattacks, a report from Resecurity said. Furthermore, a survey of 200 IT decision-makers noted that 45% of Indian businesses experienced more than a 50% increase in cyberattacks.
How to protect PII?
Individuals may not be able to prevent leaks in databases of government organisations or service providers. However, they can take steps to ensure that their PII is not readily available to threat actors.
Look for HTTPS in URLs when visiting unknown websites. The “S” stands for secure and is used by legitimate websites to secure collected information from unsecured connections. Some browsers may also use a lock symbol in the URL bar to signify that a website is secure.
Use a VPN when accessing sensitive information using public networks. A VPN helps protect PII and other vital data by securing your online connection from prying eyes on public networks.
Keep a tab on your PII like Aadhaar, passport, PAN, Voter ID, and other important proofs of identity. Avoid sharing or accessing images or details of identity documents through unknown devices. In case you do access them at a photocopy shop or devices owned by others, make sure to delete the documents even from recycle bins to ensure they are not misused.
Avoid sharing personal information on social media platforms.
In case your PII is leaked, be on the lookout for phishing attacks, that may use leaked information to convince you they are legitimate.
Keep a tab on your bank account transactions, credit cards, and credit score; a hit in the score could mean your PII has been misused to procure credit cards in your name.
