Resecurity, an American cybersecurity firm recently reported that the Personally Identifiable Information (PII) of 815 million Indian citizens has surfaced on the Dark Web. The revealed details include Aadhaar numbers and passport information. The data was allegedly obtained from the Indian Council of Medical Research (ICMR), an organization that has experienced around 6,000 cyber-attack attempts in 2022.
Understanding the Dark Web
The Dark Web refers to unindexed sites accessible only through specialized web browsers. It forms a part of the Deep Web, representing the bottom tip of the submerged iceberg in the ocean and iceberg analogy. Accessing the dark web requires special software, configurations, or permissions, making it challenging for an average user.
Personally Identifiable Information (PII) and Data Accessibility
PII includes any information, such as passport details, that can identify an individual when used alone or with other data. According to the threat actors selling this data, its source remains unclear. However, data samples observed by researchers reveal multiple references to the UIDAI (Unique Identification Authority of India) and Aadhaar cards, indicating a possible breach.
The Impact of Leaked Information
India, one of the fastest growing economies globally, witnessed a high malware detection rate, ranking 4th in the first half of 2023 as per a Resecurity survey. The political unrest in West Asia and the subsequent increase in cyber-attacks raised significant concerns about digital identity theft. Stolen identity information facilitates online banking theft, tax frauds, and other cyber-enabled financial crimes.
Previous Instances of Data Breaches
Large-scale Aadhaar data leaks occurred in 2018, 2019, and 2022. In one instance, farmer data stored on the PM Kisan website was made available on the dark web. A recent report in 2023 revealed that a bot on Telegram, the messaging platform, was providing personal data of Indian citizens who had registered with the CoWIN portal.
Data Governance Provisions in India
India has privacy provisions under the IT (Amendment) Act, 2008. Additionally, the Supreme Court has unanimously decreed that Indians have a constitutionally protected right to privacy, as per Justice K. S. Puttaswamy (Retd) Vs Union of India case in 2017. The government appointed a special committee under the leadership of Justice B N Srikrishna in August 2017 for data protection. The Committee submitted its report in July 2018 with recommendations aimed at strengthening privacy law in India.
Proposed Changes in Data Governance
The IT Rules (2021) mandate social media platforms to exercise greater content diligence. And the proposed ‘Digital India Act’, 2023 aims to replace the IT Act, 2000. The new act addresses current cybersecurity landscape issues, data privacy rights, and envisions fostering more innovation, startups while safeguarding Indian citizen’s safety, trust, and accountability.
The Way Forward
Following the breach, the UIDAI suggests using a “masked Aadhaar” displaying only the last four digits of the Aadhaar number. The organization also recommends amending the Aadhaar Act to reintroduce independent oversight through an “Identity Review Committee”. In addition, the government should restrict mandatory Aadhaar usage to permissible uses and offer alternative means of authentication when Aadhaar verification fails. Users can protect their Aadhaar data by locking it via the UIDAI website or mobile app, thereby rendering biometric information useless even if compromised.