The government’s Computer Emergency Response Team, or CERT, is investigating reports that confidential data of over 80 crore Indians, including names and phone, passport and Aadhaar numbers were leaked on the dark web, junior IT Minister Rajeev Chandrasekhar told NDTV.
The minister would not confirm or comment on the size of the alleged leak, but said the government is working to ensure private data – whether collected by the centre or state for administrative purposes, or by businesses for commercial reasons – is maintained in a “bullet proof” ecosystem”.
“Not something I am very happy about…” Mr Chandrasekhar said Tuesday evening, “(but) CERT is investigating, as its mandate. (I am) still not privy to exact details… only understand it is an alleged leak or breach. I have no idea about the size of the (alleged) leak… don’t want to speculate.”
Mr Chandrasekhar said he could only comment further after CERT submits its report.
“CERT is investigating… to understand what was leaked, where it has been leaked, and what caused it… whether it was a hack or an operating system vulnerability. Will wait till they give a report.”
He did, however, stress that the government is still working on moving large amounts of data, including legacy data collected over the past decades, to safe storage.
“In the government ecosystem, there is data from the centre and states, and ministries and departments. Lot of data… including legacy data that peaked during COVID-19. It requires a lot of time to transition, in an orderly and non-disruptive manner to being a responsible keeper of data.”
ALSO READ | Exclusive: “Apple Must Say If Devices Secure,” Says Minister On ‘Hacking’ Row
“I think we have to recognise the government ecosystem will take a little longer to transition to a bullet proof set-up… one which manages data and keeps it in a safe and responsible manner.”
Mr Chandrasekhar pointed out that it wasn’t just government data that had to be secured.
“This applies to MSMEs and other small businesses, which are custodians of consumer data. It will take time for all to adjust to the new framework, in which there is more responsibility and accountability about how different individuals and entities collect, store and access data,” he said.
Earlier this month Resecurity, a United States-based global cybersecurity solutions provider, published a report claiming “millions of personally identifiable information (PII) records, including Aadhaar cards, belonging to Indian residents, (are) being offered for sale on the Dark Web.”
In a blog post published on October 15, Resecurity said a “threat actor” (identified as ‘pwn0001’) was brokering access to these records, and that these were available for sale for $80,000.
The data allegedly on sale also included age, gender and addresses of millions of Indian citizens.
The same post also claimed a leak from August – brokered by a “threat actor” called ‘Lucius’ – offered 1.8TB of data “impacting an unnamed India internal law enforcement organization”.
There were at least three instances of large-scale Aadhaar leaks last year, including one in which farmers’ data stored on the PM Kisan website, were reportedly made available on the dark web.