Personal data, including Aadhaar details and mobile phone numbers of nearly 75 crore Indians, has reportedly been put up for sale online, said digital threat analysis company CloudSek in a report on Wednesday.
The company revealed that its digital risk protection platform detected a post on an "underground forum" by a threat actor named CyboDevil, promoting the sale of a comprehensive mobile network consumer database on Tuesday.
According to the report, another threat actor named UNIT8200 made a similar post on January 14 on the instant messaging platform Telegram.
The alleged database comprises the name of the mobile user, their phone numbers, residential addresses, Aadhaar details, and names of their family members.
Both CyboDevil and UNIT8200 are part of the CYBOCREW group, founded around July 2023. The CYBOCREW group has been "linked to significant breaches, targeting Netplus Co, Zivame, Giva Co, and a Hyundai data breach affecting 2.1 million individuals," according to the cybersecurity firm.
The report included screengrabs of the posts on Telegram and the "underground forum" but did not specify if CloudSek independently verified the dataset.
The report mentioned that the exact method of the data breach is unclear, but the threat actors hinted at "exploiting vulnerabilities within government databases or telecommunication systems."
When asked how CYBOCREW acquired the dataset, the group claimed to have obtained the data through "undisclosed asset work within law enforcement channels."
“This opaque explanation prompts a critical examination into the legitimacy and ethical considerations surrounding the actor’s access to highly sensitive information,” the company said. “Further scrutiny is warranted to validate the veracity of the claim and assess the potential implications of such data sourcing practices.”
The report also raised alarms about the significant risks due to such leaks and said that it could be used for “sophisticated ransomware attacks or data exfiltration”.
In December, Union Minister of State for Electronics and Information Technology Rajeev Chandrasekhar reported 165 breaches of data of Indian citizens between January 2018 and October 2023.
Chandrasekhar claimed that no breach of Aadhaar data has occurred from the Central Identities Data Repository maintained by the Unique Identification Authority of India.
However, in January 2018, The Tribune claimed to have "purchased" a "service being offered by anonymous sellers over WhatsApp" for "unrestricted access" to details of more than one billion Aadhaar holders.