IFF’s cybersecurity report for the third quarter of 2024

tl;dr 

Recent data breaches and leaks have underscored the widespread impact on the data security of millions of users. Grave cybersecurity incidents, like the BSNL and Star Health data leak, have raised concerns about the detection and response capabilities of India’s cybersecurity authorities. This series will list the various cybersecurity incidents that occurred during a quarter in the country and our actions in response to them. We highlight the need for organisations to prioritise proactive measures, transparency, and public awareness to mitigate risks and foster cyber resilience in an interconnected digital world.

Important Documents 

1. Letter to CERT-In on the BSNL data breach dated July 25, 2024 (Link)
2. Letter to CERT-In on Angel One data leak dated July 25, 2024 (Link)
3. Letter to CERT-In on the eMigrate Portal data breach dated July 25, 2024 (Link)
4. Letter to CERT-In on the Airtel Database breach dated July 25, 2024 (Link)
5. Letter to CERT-In on WazirX data breach dated September 9, 2024 (Link)
6. Letter to CERT-In on Piramal Group’s data leak dated September 9, 2024 (Link)
7. Letter to CERT-In on Co-operative and regional rural banks data breach dated September 9, 2024 (Link)
8. Letter to CERT-In on the Durex India data breach dated September 9, 2024 (Link)
9. Letter to CERT-In on the Star Health data breach dated September 20, 2024 (Link)
10. Letter to CERT-In on vulnerability in smart cards issued by the Telangana Transport Department dated September 24, 2024 (Link)
11. PlugTheBreach (Link)

The grim state of cybersecurity in India

The urgent need to operationalise the Digital Personal Data Protection Act (“DPDPA”), 2023 is underscored by the increasingly pervasive threats to individuals’ digital privacy and security. As technology advances, so do the methods and scale of cyberattacks, leaving individuals and organisations vulnerable to data breaches, identity theft, and surveillance. A comprehensive, robust, and rights-respecting data protection legislation is essential to establish clear guidelines, regulations, and enforcement mechanisms to safeguard personal information, ensure transparency in data handling practices, and hold entities accountable for any lapses in cybersecurity protocols. The inadequacies of the DPDPA, 2023 in safeguarding data privacy and empowering data principals in the event of a breach as well as the current grim state of cybersecurity in the country reveal concerning gaps and vulnerabilities. Despite efforts to bolster cybersecurity measures, including establishing dedicated agencies and initiatives, challenges such as insufficient resources, outdated infrastructure, and a shortage of skilled professionals persist. The exemption of the Indian Computer Emergency Response Team (“CERT-In”), the nodal authority assigned to monitor data breaches, in 2023 from the Right to Information (“RTI”) Act, 2005 raises serious concerns about the accountability of an organisation whose actions or inaction is consequential for the status of cyber security and individual privacy in the country. This move is certainly not in the public interest as it weakens the rights of the people by diluting an Act meant to empower them.

Data breaches and vulnerabilities in 2024 Q3

1. BSNL data leak: Bharat Sanchar Nigam Ltd (“BSNL”) reportedly suffered a significant data breach, as a result of which sensitive information such as IMSI numbers, SIM card details, home location register data, and critical security keys were accessed by a threat actor. The incident was reported by the digital risk management firm Athenian Technology, according to whom the hacker by the username ‘kiberphant0m’ claims to have taken over 278 GB of data from BSNL’s telecom operations, including server snapshots, and the threat actor was willing to sell the data for $5000. 

Notably, this marked the second data breach the state-owned telecom operator has suffered within six months. We wrote a letter to CERT-In, bringing this breach to their notice and highlighting that such a data breach can put the customers at risk of financial loss as well as data theft. 

The breach was acknowledged by the Department of Telecommunications during the 2024 Monsoon session of Parliament in an answer to a question raised by Member of Parliament, Dr. Amar Singh who inquired about the BSNL data breach. The Minister in his reply mentioned that CERT-In reported the breach on May 20, 2024 but he denied the claim regarding a breach in the Home Location Register (HLR) and hence no service outage in BSNL’s network.

2. Angel One data breach: Angel One, a Mumbai-based stock brokerage firm, reportedly suffered a data breach which compromised the personal data of approximately 8 million customers. The unidentified threat actor exposed Personally Identifiable Information (“PII”) like customers’ names, addresses, contact numbers, and bank account details on a hacker forum. In response to the breach, the Angel One Authorities clarified that the current situation is related to a prior breach from April 2023, which was supposedly reported to the relevant authorities and there has been no additional breach of their systems since the previously reported incident. Read our letter to CERT-In here. 
3. Data Breach of the eMigrate Portal: A significant data breach reportedly affected the eMigrate Portal, a platform launched by the Ministry of External Affairs (“MEA”) to help Indian labourers emigrate overseas. A pseudonymous hacker published data of individuals who signed up to the eMigrate portal on a known cybercrime forum and claims to have at least 2,00,000 internal and registered user entries, containing full names, email addresses, phone numbers, dates of birth, mailing addresses, and passport details. The data breach also disclosed the personal information of a foreign ambassador of the Indian government. However, it is unclear whether the data was obtained directly from the eMigrate servers or through a previous breach. Following this, CERT-In stated that it was “in [the] process of taking appropriate action with the concerned authority.” However, the MEA did not officially comment on the matter. We wrote a letter to CERT-In highlighting the inadequate cybersecurity measures being taken by the MEA. 
4. Data leak of the Airtel database: On July 3, 2024, an ‘X’ (formerly Twitter) user known as ‘Dark Web Informer’ reported that a hacker using the username ‘xenZen’ is offering the data of more than 375 million Bharti Airtel (“Airtel”) users for sale on the dark web. Airtel is one of the largest telecom service providers in India and reportedly the leaked information included personal details of users such as name, birth date, Aadhaar number, father’s name, local address, permanent residential address, alternate phone number, email ID, gender, nationality, cellular connection type (prepaid/postpaid), SIM activation date, and photo ID proof, and address proof. According to reports, this information was listed on a dark web forum, at the rate of $50,000 (Rs. 41 lakh) to be paid in cryptocurrency. Following this, Airtel India through its ‘X’ account denied any breach of its systems and stated that such rumours were a malicious attempt to tarnish its image. Read our letter to CERT-In here. 

Notably, this is not the first instance of a data breach involving Airtel. In 2021, a cybersecurity researcher warned that the data of over 2.5 million Airtel customers had been posted on a threat actor’s website called ‘Red Rabbit Team,’ which was subsequently taken down after three months. Even then Airtel had denied the breach allegations. 

5. WazirX data breach: A significant data breach reportedly affected WazirX, India’s largest cryptocurrency exchange. Reports indicated that the breach involved the theft of more than 200 crypto assets, including $96.7 million worth of Shiba Inu (SHIB) tokens, the most among lost funds, followed by $52 million in Ethereum (ETH), $11 million in Polygon (MATIC), and $7.6million in Pepe (PEPE) with total funds stolen estimated at $235 million, which accounts for nearly 45 per cent of WazirX’s $500-million. The company in a statement on ‘X’ (formerly Twitter) confirmed that its ‘Multisig wallet’ which has been utilising Liminal’s digital asset custody and wallet infrastructure since February 2023, fell victim to a massive data breach. WazirX also reportedly reached out to the Indian police, the Financial Intelligence Unit (FIU) India, CERT-In and other authorities to help tackle the situation. Following this, investigations by a cyber security firm, ‘Elliptic’ have suggested that the breach was orchestrated by the ‘Lazarus Group’, a notorious hacking collective affiliated with North Korea. Read our letter to CERT-In here.
6. Piramal Group’s data leak: According to Tech Crunch, Piramal Group, an Indian multinational company that operates across pharma, financial services, and real estate suffered a major data breach. A pseudonymous hacker claimed to have access to the company’s database which included personal details such as names and email addresses of thousands of employees of Piramal group. The hacker published a small portion of the data on a well-known cybercrime forum for sale at an undisclosed rate. The company released a statement to various media outlets that their investigation did not uncover any breach in their systems. According to their investigation, the leaked information supposedly originated from a third-party platform called Mallinator, not from Piramal’s systems. We wrote a letter to CERT-In to look into this instance of the alleged data breach and conduct a forensic analysis to ascertain whether any flaws in Piramal’s systems have been exploited by nefarious entities.
7. Co-operative and regional rural banks data breach: A significant data breach reportedly affected C-Edge Technologies Ltd. (“C-Edge”), a technology service provider primarily catering to co-operative and Regional Rural Banks (“RRBs”). The company was targeted in a ransomware attack, as confirmed by the National Payments Corporation of India (“NPCI”) on July 31, 2024. The attack resulted in a temporary closure of all retail payments in the affected banks and customers were not able to access the payment systems until restoration was complete. After a security review, it was stated that the impact was limited to C-Edge systems hosted in their data centre, and not on any of the cooperative or regional banks’ own infrastructure. We wrote a letter to CERT-in to investigate further into this breach.
8. Durex India data breach: A massive data breach was suffered by Durex India, the Indian subsidiary of the British condom and personal lubricants brand. The breach reportedly exposed sensitive user information of customers like names, phone numbers, email addresses, shipping addresses, the products ordered, and the amount paid which was collected by its official website. While the exact number of affected customers remains unclear, a security researcher discovered evidence indicating that sensitive information belonging to hundreds of individuals had been exposed. The breach allegedly occurred due to a lack of proper authentication on the company’s order confirmation page. However, the company declined to comment or share its plans to secure its customers’ information. We wrote a letter to CERT-In raising our concerns about how the sensitive data could be exploited for identity theft and phishing attacks, and how contact details may result in unwanted harassment and moral policing of the customers.
9. Star Health data breach: A significant data breach recently affected Star Health and Allied Insurance Co. Ltd. (“Star Health’), which is one of India’s biggest health insurers. According to Reuters, stolen data of Star Health customers including full names, phone numbers, addresses, tax details, copies of ID cards, test results and medical diagnoses were publicly accessible via chatbots on Telegram. The unidentified creator of the chatbots informed a security researcher that details of millions of people were available for sale and that samples could be viewed by simply asking the chatbots to divulge. Following this, Star Health on September 20, 2024, released a statement in which it mentioned that it had reported the “alleged unauthorised data access to the local authority.” It also went on to add that an initial assessment by the company showed “no widespread compromise” and that “sensitive customer data remains secure.” However, it did not clarify whether the data was leaked from its own servers or not. We wrote a letter to CERT-In requesting an enquiry by them to ensure that Star Health provides the appropriate remedy to the affected users as per statutory obligations.

Notably, on October 9, 2024, Star Health released another statement acknowledging that it had been the target of a malicious cyberattack, leading to unauthorised and illegal access to certain data. This statement was in response to a website surfacing which claimed to offer data of over 31 million of the company’s customers for sale at $150,000. The hacker, ‘xenZen’ mentioned that Star Health’s Chief Information Security Officer, Amarjeet Khanuja sold this data. Additionally, Star Health has filed a lawsuit against Telegram and an unidentified hacker over this data breach and is actively investigating this matter. 

10. Vulnerability in smart cards issued by the Telangana Transport Department: The smart cards issued by the Telangana Transport Department for vehicle registration certificates and driving licenses faced a significant vulnerability as reported in September 2024. According to reports, concerns were raised that the chips in these smart cards which are supplied by Colorplast India Private Limited do not comply with the Smart Card Operating System for Transport Application (“SCOSTA”) guidelines and thus, are vulnerable to data breaches in the future. These claims are reportedly based on a test conducted by the National Informatics Centre. The Transport Department did not give any official response to these claims. Read our letter to CERT-In here. 

PlugTheBreach: IFF’s data breach tracker

You can find a list of all the non-exhaustive data breaches in the country since 2020 on a publicly accessible database, PlugTheBreach, a small-scale IFF initiative aimed at covering, reporting, and tracking data breaches in India to increase transparency and public awareness. 

Conclusion 

The multitude of recent data breaches and leaks underscores the critical importance of robust cybersecurity measures in today’s digital landscape. From breaches compromising sensitive personal information to vulnerabilities in major databases and platforms, these incidents highlight the pervasive risks individuals and organisations face. 

In these challenges, organisations must prioritise proactive cybersecurity measures, including regular audits, robust encryption protocols, and swift incident response procedures. Moreover, there’s an urgent need for greater transparency and accountability in handling data breaches, as seen in cases where affected companies failed to acknowledge or adequately address the breaches promptly. 

Public awareness and education on cybersecurity best practices also play a vital role in mitigating risks and fostering a culture of cyber resilience. Thus, as we navigate an increasingly interconnected digital world, we must remain vigilant and proactive in safeguarding our digital assets and protecting user privacy.