Ankur Sharma reports:
In what is suspected to be the biggest data leak case in the country so far, details of 81.5 crore Indians with the Indian Council of Medical Research (ICMR) are on sale.
Given the grave nature of the incident, India’s premier agency Central Bureau of Investigation (CBI) is likely to probe the matter once ICMR files a complaint.
Read more at News18. While they did not get a response from the ICMR, they report, “It has been learnt that CERT-In has informed ICMR about the breach and the verification of sample data, which is on sale, matches with the actual data of ICMR after which all agencies were ropes in.”
They also report, however, that “Sources confirmed to News18 that the epicentre of leakage has not been identified as parts of the Covid-19 test data go to the National Informatics Centre (NIC), ICMR and Ministry of Health.”
The sale of the data on BreachForums was noted by Resecurity in a blog post two weeks ago but first seems to be making headlines now. The listing on October 9 by a forum user called “pwn0001” claims the data is from September 2023 and has never been sold before. The data fields include “name, fathersName, phoneNumber, otherNumber, passportNumber, aadharNumber, age, gender, address, district, pincode, state, and town. ”
Samples were provided and the seller claimed to accept middlemen for the deal, which is usually an indication that the seller is not a scammer. In this case, that seems particularly noteworthy as that username has no history or reputation on the forum. DataBreaches noted that another established forum user later challenged the seller’s claim that they would sell only one copy by claiming that the seller had already sold the data for USD $40,000 and was now trying to sell it again for $5,000. The seller challenged him to show where, but there didn’t seem to be any follow-up after that October 20 exchange.