Why in News?
Recently, American cyber security firm Resecurity has reported that 815 million Indian citizens' Personally Identifiable Information (PII), including Aadhaar numbers and passport details, is being sold on the Dark Web.
- Threat actors selling data claimed it was from the Indian Council of Medical Research (ICMR), which has been targeted in numerous cyber-attacks, with 6,000 incidents reported in 2022.
What is the Dark Web?
- The dark web is a subset of the deep web, excluding indexed sites and accessible only through specialized web browsers, significantly smaller than the surface web.
- The dark web is the bottom tip of a submerged iceberg, as depicted in the ocean and iceberg visual.
- The dark web is a hidden internet realm that requires special software, configurations, or authorization to be accessed, making it difficult for the average user.
What is Personally Identifiable Information and How Did Threat Actors Gain Access to Sensitive Data?
- About PII:
- PII is data that, when combined with other relevant information, can uniquely identify an individual.
- PII can be direct identifiers like passport information or quasi-identifiers that can be combined with other data to accurately identify an individual.
- Access to Sensitive Data:
- Threat actors selling stolen data on the dark web have not provided details on how they obtained the data, making it difficult to identify the source.
- Lucius, a second threat actor, claimed to have access to a 1.8 terabyte data leak affecting an unnamed "Indian internal law enforcement agency", but the claim is yet to be authenticated.
- Researchers found data samples referencing UIDAI, Aadhaar cards, and voter ID cards, suggesting potential breach by threat actors by aggregating these details.
- Threats Arising from Leaked Information:
- India, a rapidly growing global economy, ranked 4th globally in malware detection in the first half of 2023, according to a survey by Resecurity.
- The unrest in West Asia and increased attacks by threat actors have significantly exposed personally identifiable data, increasing the risk of digital identity theft.
- Threat actors use stolen identity information to commit cyber-enabled financial crimes such as online-banking theft and tax frauds.
Previous Instances of Data Breach
- Aadhaar data leaks occurred in 2018, 2019, and 2022, with three large-scale incidents, including one where farmer data on PM Kisan website was exposed on the dark web.
- In 2023, it emerged that a bot on the messaging platform Telegram was releasing personal data of Indian citizens who registered with the Covid-19 vaccine intelligence network (CoWIN) portal.
Way Forward
- UIDAI has suggested the use of a "masked Aadhaar" that only displays the last four digits of the Aadhaar number to enhance privacy and security.
- The Aadhaar Act should be amended to reinstate independent oversight through a high-powered "Identity Review Committee" to guarantee accountability.
- The government should restrict mandatory Aadhaar usage to permissible purposes and offer alternative authentication methods in case of Aadhaar authentication failure.
- UIDAI users can secure their Aadhaar data by locking it on the website or mobile app, rendering biometric information useless if compromised.