APT infrastructure infecting a wide range of sectors detected in India
APT infrastructure infecting a wide range of sectors detected in India

India's national ID database containing the information of nearly 1.2 billion people was breached with cyber-criminals selling access to the information for US$ 8 (£6), though officials deny the extent of the incident.

On 3 January, 2018, The Indian Tribune claimed to have purchased access to the stolen information containing the names, addresses, dates of birth, mobile numbers, all ten fingerprints, and iris scans of the country's citizens. India started collecting the information into a centralised government database called Aadhaar to create a voluntary identity system in 2010.

The publication was also able to purchase software that could enable a user to print Aadhaar cards after entering the Aadhaar number of any individual.

Last November UIDAI, the Unique Identification Authority of India, asserted the database is safe and secure and that no leak or breach had occurred. When the Tribune contacted the government agency about the breach, officials expressed shock and admitted it seemed to be a major national security breach before consulting UIDAI technical consultants.

The Tribune estimates that a racket may have started around six months ago when anonymous groups were created on WhatsApp to target more than 300,000 village-level enterprise (VLE) operators hired by the Ministry of Electronics and Information Technology (ME&IT) under the Common Service Centres Scheme (CSCS) across India. The operators would have had access to the UIDAI data and any compromised operators would have provided a potential entry point for the breach.

More than 100,000 village-level enterprise operators are suspected to have gained illegal access to UIDAI data to provide “Aadhaar services” to common people for a charge, including the printing of Aadhaar cards, the publication said.

The database was also vulnerable as anyone can access or become admins of the official Aadhaar database as long as they are invited by someone who is already an admin, according to The Quint.

The Tribune's report was dismissed as “fake news” by India's Narendra Modi-led Bharatiya Janata Party. UIDAI denied the Tribune report and told BuzzFeed “Aadhaar data including biometric information is fully safe and secure.”

The incident has since sparked a police probe into the incident. Even if the database wasn't breached, researchers advise against aggregated databases such as Aadhaar as they pose a risk to the privacy of citizens.

"Regardless of whether the Indian Government is correct and no biometric information was included in the database accessed by The Tribune of India, the opportunity for fraud stemming from this incident is immense,” Netskope chief executive officer Sanjay Beri told SC Media. “Sure, criminals may not be able to create exact duplicates of an individual's Aadhaar ID card, but they still have all the data necessary to conduct highly targeted phishing attacks and other identity fraud.”

Even if hackers only have access to the databases non-biometric information could easily imitate the agency in order to convince unsuspecting citizens to turn over additional data like their banking information, Beri added. Experts agree.

“The UIDAI have suggested that no biometric data was accessed, but even so, the amount of PII that has been accessed provides a healthy pipeline for future cyber-criminals,” Lisa Baergen, director at NuData Security told SC Media. “In future, organisations should take more stringent security measures in protecting PII, including passive biometrics and two factor authentication.”

Last year a darknet trader was caught selling the Medicare patient details of any Australian on request by stealing them via an exploiting in a government system.