Case Study 1: India’s Largest Data Breach: Aadhaar Details of 81.5 Crore People Data Leaked on Dark Web
In the largest data breach in India, personal details of over 81.5 crore Indians, sourced allegedly from the Indian Council of Medical Research (ICMR), were leaked online. The breach, initially noticed by Resecurity, an American cybersecurity and intelligence agency, raised significant concerns regarding data security and privacy.
The breach involved a threat actor with the alias ‘pwn001‘ posting a thread on Breach Forums, a forum for discussing data breaches and leaks. This thread provided access to records of 815 million Indians, including sensitive information such as Aadhaar and passport details, names, phone numbers, biometrics, and addresses, etc. The hacker claimed to have extracted this information from the COVID-19 test details of citizens registered with ICMR. The leaked data included Aadhaar card IDs, which were verified as valid upon analysis. This breach compromised the personal information of a significant Indian population, raising concerns about identity theft, financial fraud, and other forms of cybercrime.
Despite the lack of an official response from ICMR or the government, reports indicated that the Central Bureau of Investigation (CBI) was likely to probe the matter upon receiving a complaint from ICMR. Additionally, top officials from various agencies and ministries were mobilized to address the issue. Standard Operating Procedures (SOPs) were deployed to mitigate further damage and contain the breach’s impact. The breach holds the importance of robust data protection measures and raises questions about the security protocols in place to safeguard sensitive information, particularly in the context of government databases such as Aadhaar. It also highlighted the ethical responsibilities of organizations and government agencies entrusted with collecting and storing personal data. The data breach sparked public and fueled concerns about the vulnerability of digital infrastructure in India.
The Aadhaar data breach of 2023 represents a significant breach of privacy and data security affecting millions of individuals in India. It shows the urgent need for comprehensive cybersecurity measures, strict data protection laws, and proactive measures to prevent and mitigate such breaches in the future.
Recommendations
- Implementing robust, real-time monitoring systems and regular audits can swiftly detect and address potential vulnerabilities, ensuring proactive protection against unauthorized access and data breaches.
- Utilize strong encryption methods and stringent access controls to safeguard sensitive information, preventing unauthorized users from gaining access and adding an additional layer of security to critical data.
- Foster public awareness campaigns to educate individuals about cybersecurity threats, emphasizing the importance of safeguarding personal information and promoting responsible online behavior to mitigate the risk of falling victim to cybercrimes.
- Conduct thorough employee training programs on cybersecurity protocols and regularly update staff on emerging threats.
- Advocate for and strengthen data protection laws to establish clear guidelines, penalties, and accountability measures for organizations handling personal information.
- Enforce a culture of regular updates for software, systems, and security protocols to patch vulnerabilities and stay ahead of evolving cyber threats.
Suggestions & Analysis
During the session, speakers shared their world experiences and studies related to the Aadhaar data breach case. Tatiana Tropina highlighted that such data breach incidents often occur through the use of tools that can serve both positive and negative purposes. She emphasized that threat actors can range from states to cybercriminals to hacktivists, hence making it difficult to take legal action. To illustrate, Tatiana shared similar examples such as the Costa Rica Ransomware Attack in April 2022 and the Russian Gang Conti’s demand for 10 million USD. Kenneth Leung and Pranav Bhaskar Tiwari also contributed to the discussions, providing insights into cybersecurity practices and the challenges of protecting sensitive data in the digital age.
The Aadhaar data breach of 2023 serves as a stark reminder of the vulnerabilities inherent in digital systems and the critical need for robust cybersecurity measures. It is essential for governments, organizations, and individuals to prioritize cybersecurity and implement comprehensive strategies to safeguard sensitive data.
Case Study 2: National Institutional Facilitation Technologies Cyberattack in Pakistan
Background
National Institutional Facilitation Technologies Pvt. Ltd. (NIFT) is a joint venture between a consortium of six major banks and private sector entrepreneurs. It is responsible for the establishment and management of automated clearing house facilities in Pakistan and is a prominent payment system operator as well.
In June 2023, NIFT faced a cyberattack attempt. It was reported that it witnessed an attempted breach which was allegedly contained immediately through security measures. Initial reports indicated that no breach had occurred and there was only an attempt to breach. However, after a thorough investigation, it was found that not only had there been a breach, but NIFT had also lost terabytes of data. Hackers had downloaded data which included scans of all cheques from the NIFT database. The breach not only caused loss of data but also affected the banking system across Pakistan. Two of the major data centers (in Islamabad & Karachi) were shut down and certain banking services were halted for over a week.
As NIFT processes nearly 150,000 to 160,000 cheques through its online system every day, it was believed that approximately the data of 67.5 million customers was put at high risk due to the breach. Experts lamented that a breach into a system like NIFT’s wherein there is a possibility of breach of large amounts of sensitive financial data would be tantamount to a breach in the national security of the state. This breach highlighted the critical role of cybersecurity in protecting sensitive data and the need for robust security mechanisms.
Analysis
The cyberattack on NIFT was only one of the many instances of cyberattacks on financial institutions. The International Monetary Fund (IMF) has recognized the growing number of threats to financial systems and has highlighted that there is a lack of clarity on who is responsible for protecting the system. This issue is also exacerbated by the lack of clear international law mechanisms for cyber attacks. As highlighted in the session by Tatiana, there are different motives and different actors (such as states, state-sponsored groups, hacktivists, cybercriminals, etc.) that conduct cyber attacks and breaches. Creating liability and also taking action against these varying actors with a wide range of crimes is difficult due to the lack of international regulation for cyber attacks. There are also practical issues with the implementation of cyber laws as the laws are domestic while the crimes are cross-border in nature, hence creating jurisdictional issues.
Due to the difficulties in implementing liability over cyber attacks and breaches, it is important that internationally, financial services systems be made secure. To do this, certain strategies like the ones recommended by the Carnegie Endowment for International Peace could be adopted to strive towards reducing fragmentation and fostering collaboration among government agencies, financial firms, and tech companies both internationally and domestically to ultimately create a stronger and more secure financial system.
Recommendations
- Create a basic framework for supervising cyber risk management at financial institutions.
- Governments and industry should strengthen security by sharing information on threats and by creating financial computer emergency response teams (CERTs).
- Create secure, encrypted data vaulting to securely back up customer account data.
- Exercises to simulate cyberattacks to identify weaknesses and develop cyber attack action plans.
- Clear international law to regulate cyberspace and strengthen norms to protect the integrity of the financial system.
Written by Maryam Khalid, Tejaswita Kharel (Edited by Qurra Tul Ain Nisar and Nattaya Jaratruangsaeng)