In a concerning revelation, the dark web has once again taken center stage, and this time it’s pwn0001, a threat actor, attempting to peddle a massive database containing sensitive information of around 815 million Indian citizens. This extensive database, with details ranging from phone numbers and addresses to names and more, comes with a jaw-dropping price tag of $80,000. What sets this alarming data sale apart is that pwn0001 claims to have obtained this treasure trove through purchase, not a hacking endeavor.

 The Source of the Database

Pwn0001, the figure behind this potential breach of epic proportions, insists that this data wasn’t wrestled away through a series of cyber-attacks but rather acquired through a transaction last year, at a price of $50,000. According to this threat actor, the source of the data was a dark web forum that has since met its demise, and its owner found themselves on the wrong side of the law. As promising as these claims may sound, the authenticity of such declarations remains a subject of skepticism.

 The Contents of the Database

This database is claimed to hold an extensive array of personal information pertaining to Indian citizens. Among the plethora of data, you’d find details related to Aadhaar and passport, along with a myriad of other personal identifiers. Interestingly, pwn0001’s initial expectations were centered around the belief that the data would be brimming with Aadhaar and passport details. However, the stark reality is quite the opposite. A mere 10% of the database includes Aadhaar details, and passport information is even scarcer.

Attempting to Recoup an Investment

The motivation behind pwn0001’s actions seems to pivot around recouping the investment made in procuring this database. Up to this point, the threat actor has been grappling with the challenge of selling this data to potential buyers.

 Data Breach Reports

The first wave of reports regarding this potential data breach emanated from Resecurity, a US-based cybersecurity research platform. According to their investigations, valid Aadhaar card IDs belonging to Indian citizens were traced within the compromised data. It’s worth noting that the Indian government, at this stage, neither confirms nor denies the occurrence of a data breach.

 Legal Framework and Implications

The timing of these reports on data breaches holds significance due to the recent passage of the Digital Personal Data Protection Act (DPDP) by the Indian Parliament. While the DPDP Act empowers authorities to impose hefty fines, up to Rs 250 crore, on entities responsible for data breaches, it has not yet been enacted. The government has expressed the possibility of exempting certain categories of data fiduciaries, including specific government bodies, MSMEs dealing with citizens’ data, and startups.

In a separate incident in August, Resecurity reported another alleged breach, which involved a massive 1.8 TB of data. This data was marketed under the label ‘Indian internal law enforcement organization’ and purportedly contained personally identifiable information, including Aadhar IDs, Voter IDs, and driving license records.

The implications and security concerns stemming from such breaches are undeniably significant, demanding heightened vigilance and proactive measures to safeguard personal data in the digital age. As these events continue to unfold, close scrutiny is on the horizon for the Indian government’s response and actions to ensure the security and privacy of its citizens.