Massive data breach exposes 81 cr citizens’ Aadhaar, passport data

Concerned about the severity of the breach, the cybersecurity firm initiated contact with the threat actor, who proposed selling the entire database for an astounding $80,000. To validate the legitimacy of the data, the threat actor furnished a sample containing details of more than 100,000 Indian citizens

In the wake of a massive data breach that exposed the Aadhaar and passport data of 81 crore Indian citizens, questions loom large over the state of data protection and compliance in the country.

As organizations grapple with the aftermath of this alarming incident, concerns arise about their readiness to comply with the Digital Personal Data Protection Act, 2023 (DPDP Act). The rapid digitization of the Indian economy has outpaced the development of necessary checks and balances for data protection. In the western world, data privacy standards like GDPR have been in place for over two decades, providing a robust framework for data protection. In India, however, businesses are still in the process of adapting to the challenges posed by the massive amount of data generated daily.

The DPDP Act is a new legislation in India, and organizations are finding it challenging to adapt and comply with its provisions. There is a lack of institutional capacity to adhere to the prescribed standards, making it difficult for corporations to implement robust data protection measures.

To link individuals' Aadhaar cards to various services, a multi-step verification process is in place. Aadhaar authentication is a critical enabler for financial transactions and has played a pivotal role in reducing instances of fraudulent transactions and identity theft. Various methods, including demographic authentication, one-time authentication based on OTPs, biometric-based authentication, and multi-factor authentication, are employed to ensure the authenticity of Aadhaar-linked services.

For the verification of voter IDs, entities must manually visit the Voters Service Portal maintained by the Election Commission of India (ECI) to verify the authenticity of voter IDs.

As the news of the data breach came to light, it raised questions about whether organizations affected by the breach were aware of the incident and promptly reported it to the appropriate authorities, as required by law. The breach was discovered by a US cybersecurity firm, which came across a threat actor claiming to have Aadhaar and passport records of millions of Indian citizens. The firm cross-checked the Aadhaar numbers to verify their authenticity, shedding light on this significant breach.

Talking to Bizz Buzz, Rishi Agrawal, CEO and Co-Founder, TeamLease RegTech said, “The issue of organizations processing personal data outside India for the purpose of offering goods or services to Indian citizens also raises concerns about compliance with the DPDP Act. While the act mandates the storage of personal data within India, there are no specific regulations governing this aspect. Many big tech companies continue to store and process data outside India. These companies are operating in the western world, where they are required to comply with western data protection standards like GDPR, which have inspired India's data protection standards."

Preventing future breaches is a paramount concern. Organizations can take a series of steps to enhance data security, including security certifications, data encryption, access control, regular security audits, employee training, patch management, and incident response plans. These measures collectively form a robust defense against data breaches and unauthorized access.

As organizations strive to protect personal data, it is imperative to monitor and conduct compliance audits to ensure that data is being used for lawful purposes, in line with the DPDP Act. However, given the evolving nature of data protection regulations in India, organizations are currently relying on their internal standards and processes until a more robust regulatory framework is established.

In the face of the significant data breach, India stands at a crucial juncture in its journey toward ensuring data protection and privacy for its citizens. As organizations and regulatory bodies work together to adapt to the challenges of the digital age, the road ahead promises to be one of continuous improvement and vigilance in safeguarding personal data.

In the corridors of corporate India, there was a growing realization that while the country had rapidly embraced the digital era, the regulatory ecosystem was still playing catch-up. In contrast to the western world, where data protection and privacy standards like the General Data Protection Regulation (GDPR) had been in place for over two decades, India was still finding its footing in this critical domain.

According to Agrawal, “The DPDP Act, introduced in 2023, marked a significant step forward, but it had not yet become the standard practice. The sheer magnitude of data being generated daily had left organizations grappling with the challenges of data protection. The lack of institutional capacity to enforce prescribed standards made it difficult for corporations to adapt and comply with the DPDP Act. The corporate ecosystem was still in the process of understanding and implementing the necessary data protection measures in the wake of the data breach.”

The data breach was brought to light by a US cybersecurity firm that stumbled upon a threat actor claiming to possess the Aadhaar and passport records of 81.5 crore Indians. The exposed data included names, phone numbers, addresses, Aadhaar and passport information, and other personally identifiable information. Alarmed by the extent of the breach, the cybersecurity firm engaged the threat actor, who offered to sell the entire database for a staggering $80,000. To prove the authenticity of the data, the threat actor provided a sample containing details of over 1,00,000 Indian citizens.

The breach had sent shockwaves through corporate boardrooms and government offices alike. Data breaches in 2023 had become a recurring nightmare.

Amidst the chaos, another pressing concern emerged. Indian organizations were processing personal data outside the country's borders to offer goods and services to Indian citizens. The Digital Personal Data Protection Act, 2023 mandated that personal data must be stored within India. However, there were no specific regulations governing this aspect, and data not covered by the Reserve Bank of India's directive continued to be processed abroad. BigTech companies, in particular, were still storing and processing data outside India, as there were no restrictions in place.

The massive data breach had sounded a clarion call for heightened data security measures. Organizations realized the need for proactive steps to protect sensitive data and prevent unauthorized access.