ICMR data leak reveals personal information of 81.5 cr Indians: Report

In what could possibly be the largest data breach in India's history, personal details of over 81.5 crore citizens with the Indian Council of Medical Research (ICMR) are being sold on the dark web. The data includes crucial information such as Aadhaar and passport details, as well as names, phone numbers, and addresses, according to reports. 
 
The breach was discovered by the US-based cybersecurity and intelligence firm Resecurity. They reported that on October 9, a threat actor known as 'pwn0001' posted a thread on Breach Forums offering access to 815 million 'Indian Citizen Aadhaar and Passport' records. 
 
The source of the leak is still unknown, but according to the hacker, the stolen information includes Aadhaar and passport details, names, phone numbers, and temporary and permanent addresses of millions of Indians. The hacker claims that this data was collected by ICMR during Covid-19 testing. 
 
The Covid-19 test information is spread across various government bodies like the National Informatics Centre (NIC), ICMR, and the Ministry of Health, making it difficult to determine where the breach originated. 
 
Cybersecurity analysts have also discovered a leaked sample containing 100,000 records of personally identifiable information (PII) related to Indian residents. Valid Aadhaar Card IDs were found in this sample and were verified through a government portal that offers a "Verify Aadhaar" feature. 
 
The analysts were able to communicate with the threat actor and learned that they were willing to sell the entire Aadhaar and Indian passport dataset for $80,000 (over Rs 66 lakh). However, the threat actor did not disclose how they obtained the data. 
 
In a separate incident, cybersecurity researchers found that the official website of the Ministry of AYUSH in Jharkhand had been breached, exposing over 3.2 lakh patient records on the dark web. According to cybersecurity firm CloudSEK, the site’s database, which amounts to 7.3MB, contains patient records that include PII and medical diagnoses. The compromised information also contains sensitive information about physicians, including their PII, login credentials, usernames, passwords, and phone numbers. The data breach was initiated by a threat actor named “Tanaka", it said.

This is not the first time a large medical institute in India has experienced a breach. Earlier this year, cybercriminals hacked into AIIMS' servers and gained control of over 1TB of data, demanding a hefty ransom. This incident forced the hospital to switch to manual record keeping for 15 days, further slowing down processes in an already overcrowded institute. In December 2022, AIIMS Delhi's data was hacked by Chinese hackers who demanded ₹200 crore in cryptocurrency. 

In a related news, on Tuesday, multiple top leaders of India’s opposition parties and several journalists have received a notification from Apple, saying that they are “being targeted by state-sponsored attackers who are trying to remotely compromise the iPhone associated with your Apple ID ….”

While the language of Apple’s warning is identical to what the phone manufacturer has used in the past to alert victims of spyware around the world, the fact that at least five persons in India received the same alert at the same time (11:45 pm on October 30, 2023) suggests those being targeted are part of an India-specific cluster.

India continues to be on the top of the agenda of nation-state actors when it comes to cyber-attacks. According to a Microsoft report published in October, India accounts for 13% of cyber-attacks in the Asia-Pacific (APAC) region, making it one of the top-three most attacked countries by nation-state actors.