Personal data of over 81.5 crore people has been put up for sale on the darknet. The data was allegedly sourced from the Indian Council of Medical Research (ICMR). Details of several individuals, including a Hyderabad-based man, were on top of the leaked data sample, showing the name, age, father’s name, phone number, passport number, Aadhaar number, and complete address.
On October 9, an individual with username ‘pwn0001’ posted a thread on Breach Forums offering access to the expansive database. The leak was initially discovered by a US-based cyber security firm, Resecurity.
“This data set contained an even more extensive array of PII data than pwn0001’s. Beyond Aadhaar IDs, Lucius’ leak contained Voter IDs and driving license records,” said a Resecurity report.
According to Lucius, 85% of Indians’ personal data – including phone numbers, identity documents and addresses – are available in this dataset for sale.
Data can be used to micro-target voters
The Brookings report, which studies the Implications of Peaceful Space Activities for Human Affairs, highlights the increased risk of fraud and political microtargeting due to such leaks with the potential to manipulate electoral outcomes and further polarise an already divided society.
“It becomes easy for political parties to target voters if they get their personal details. Names can be used to target them based on their community and caste. If the data leaked is more detailed, like information about children (firms can use it to advertise products to parents about education and child benefits), if it has location, it can help identify ownership and give ads related to housing schemes,” security expert and author of the book ‘AADHAAR EFFECT’ NS Ramnath told Siasat.com.
Data from Aadhaar verification, COVID-19 tests
As of February 2023, 945 million Indians had linked their Aadhaar cards to their voter IDs. A spreadsheet sample containing fragments of Aadhaar data using the government’s “Verify Aadhaar” feature was posted on the forum. The post advertising a single sale of 90GB of Aadhaar data of Indians was seen by over 15,000 people.
The alleged breach not only risks identity fraud but also undermines the credibility of the ICMR, an institution already grappling with the logistical challenges of managing COVID-19 data. The data has been pulled from citizens’ COVID-19 test details registered with ICMR.
