PII Belonging to Indian Citizens, Including their Aadhaar IDs, Offered for Sale on the Dark Web
In early October, Resecurity’s HUNTER (HUMINT) unit identified hundreds of millions of personally identifiable information (PII) records belonging to Indian residents, including Aadhaar cards, being offered for sale on the Dark Web. An Aadhaar is a unique, 12-digit individual identification number “issued by the Unique Identification Authority of India on behalf of the Government of India,” according to the UIDAI website.
With roughly 1.4 billion Aadhaars issued by the UIDAI since this ID service launched in 2009, this system represents one of the largest biometric ID programs on the planet, according to a report published by think tank Brookings Institution. Resecurity’s discovery follows the publication of a report by credit-rating agency Moody’s last month questioning the reliability of the Aadhaar system’s biometric authentication controls. The Moody’s report also warned that there are security and privacy vulnerabilities in Aadhaar’s centralized system.
On September 25, the Indian government’s Press Information Bureau published a statement refuting the Moody’s report. The PIB’s rebuttal said Moody’s failed to “cite either primary or secondary data or research in support of the opinions presented in it.” The PIB also said that “no breach has been reported from Aadhaar database” to date. The HUNTER unit’s Dark Web sleuthing yielded findings that suggest otherwise, although the ultimate source of the leaks discussed in this report remains unclear.
Powered by the core biometric markers of 10 fingerprints and two iris scans, Aadhaars function as digital IDs. Aadhaars facilitate electronic payments, online Know Your Customer (e-KYC) verification, and compatibility with various Indian financial platforms. The Election Commission of India has also moved to link its voter registration database with the Aadhaar system. As of February 2023, 60% of India’s eligible voters, or 945 million people, had linked their Aadhaar card to their voter IDs, according to local media reports.
Resecurity’s HUNTER investigators identified two threat actors brokering access to Indian PII and Aadhaar records on Breach Forums, a leading cybercriminal hub. In October, Resecurity flagged a thread posted by a threat actor using the online handle ‘pwn0001,’ claiming they were in possession of a database containing 815 million Indian citizen Aadhaar and passport records. Concurrently, the actor shared spreadsheets containing four large leak samples with fragments of Aadhaar data as a proof. One of the leaked samples contains 100,000 records of PII related to Indian residents.
In August, another threat actor going by the alias ‘Lucius’ posted a thread on Breach Forums promoting a 1.8 terabyte data leak impacting an unnamed “India internal law enforcement organization.” This data set contained an even more extensive array of PII data than pwn0001‘s.
According to Resecurity, one of the main sources of this data – breached 3d parties attacked by cybercriminals to steal PII. Typically, such data is collected by financial institutions, lending companies and mobile carriers, which makes them a target for cyber attacks.
Resecurity’s discovery coincides with a global threat landscape that has seen India emerge as a top-five geography for cyberattacks, according to a recent vendor survey. This survey found that India ranked fourth globally in online banking malware detection and top-five globally in all malware detections in the first half of 2023.
The leak of PII data containing Aadhaar (and other details) of Indian citizens on the Dark Web creates a significant risk of digital identity theft. Threat actors leverage stolen identity information to commit online banking theft, tax refund frauds, and other cyber-enabled financial crimes. Resecurity observed a spike in incidents involving Aadhaar IDs and their leakage on underground cybercriminal forums by threat actors looking to harm Indian nationals and residents. To mitigate this risk, Resecurity acquired the published data set on Dark Web and notified victims of the leaked identities.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Aadhaar)