The dark web threat actor, pwn0001, who is selling sensitive data belonging to 815 million Indians says that the database is "old", and that they had bought it from a now defunct dark web-based forum last year.
On September 10, the user pwn0001 posted a listing on dark web website Breach Forums stating that they were selling "Indian citizen Aadhaar and Passport Database" for $80,000. The other details that this database of citizens that it claims to have includes, phone number, address, name, parents name and so on.
"I did not hack any database. I bought it last year for $50,000," pwn0001 told Moneycontrol over Telegram. The seller added that the forum from which he bought the database from has now been shutdown and its owner, arrested. Moneycontrol could not independently verify these claims.
The threat actor said that they bought the database last year assuming that it would have Aadhaar and Passport details enmasse. However, that was not the case, said pwn0001.
"The data was not as it was marketed. Only 10 per cent of the database has Aadhaar details and only few thousands have passport details," he said. Few of the samples of the data that pwn0001 posted on BreachForums comprised of Aadhaar details.
"So now, I am just trying to recover my investment," pwn001 said, adding that he has not been able to sell it to anyone yet.
The reports of this data breach was first posted by US-based cybersecurity research platform Resecurity. The platform's researchers claimed to have identified valid Aadhaar card ids belonging to citizens.
To be clear, the Indian government has not yet confirmed or denied any data breach. Moneycontrol has reached out to UIDAI CEO Amit Agrawal with more queries on the matter and the article will be updated when a response is received.
These reports of data breach come at a time when Parliament has passed the Digital Personal Data Protection Act and it has been enacted into a law. The DPDP Act brings in provisions that says that if a platform leaks personal data of any citizen then it can fined up to Rs 250 crore.
Also read: What the Digital Personal Data Protection Bill means for you
However, the law has not been implemented yet. The government had earlier said that three categories of data fiduciaries can get exemptions from implementation of the Act -- certain government entities, which are lowest in terms of digitisation such as Panchayats and so on; MSMEs that deal with citizens' data and lastly, startups.
Earlier in August, Resecurity reported another alleged breach that included 1.8 TB of data and was sold online under the name, 'Indian internal law enforcement organization'.
The team claimed to have verified that this too contained personally identifiable information from Aadhar IDs, Voter IDs and driving license records.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
