India has been tiptoeing on finalizing its Personal Data Protection (PDP) Bill for a long time now. A month ago, it made 89 amendments and added one new clause to this long-standing bill, which has been debated in the parliament since its introduction in 2019. However, this needs to speed up, now more than ever, for the bill to become an Act/law. We are saying this because cybercriminals are polishing their ways of getting away, and the end-users are suffering, which is quite evident from the latest instance where a likely data leak has hit Indian telco giant Airtel, exposing the personally identifiable (PII) of millions of users. If this were to happen in the EU, the said company would face steep fines, as per the GDPR.
Airtel Data Leak
According to a report from a national publication house, India Today, nearly 2.5 million (25 lakh) subscribers of Airtel (registered under Bharti Airtel Ltd.) have likely fallen prey to a data leak that included their PII data. Airtel is India’s largest telecom service provider. Security researcher Rajshekhar Rajaharia made the discovery of this alleged data leak public through a tweet.
Another Big Data Breach? A Hacker Group alleged uploaded “shell” in @airtelindia Server. Now selling all India Airtel subscribers data including Aadhaar Number. Posted 2.5 Million as sample data. (in Jan 2021)#InfoSec #DataLeak #GDPR #databreaches #dataprotection #DataPrivacyDay pic.twitter.com/uxWopfKU0M
— Rajshekhar Rajaharia (@rajaharia) February 2, 2021
Reports suggest that the leaked information included the following:
- Telephone number
- Address
- City
- Aadhaar card number
- Gender details
Related News:
Zhenhua Data Leak: Is China Spying and Collecting Data on Indians?
Was Airtel Aware?
Rajaharia shared another tweet where he revealed that Airtel’s security teams knew about the alleged leak and were in constant contact with the cybercriminals going by the name “Red Rabbit Team.”
Strange! @airtelindia already aware about this alleged breach since last 3 months. Hacker posted all email conversations with airtel too. They also posted POC video. What steps taken to remove and patch? I am also an Airtel Subscriber.🙁#InfoSec #DataLeak #GDPR #databreaches pic.twitter.com/Tdu9mMMIOW
— Rajshekhar Rajaharia (@rajaharia) February 2, 2021
According to the email trail presented in the video, the cybercriminals first reached out to the Airtel security team on December 12, 2020. They asked for a payout of $3,500 worth of Bitcoins in exchange for the leaked data. However, Airtel’s security team kept pushing them to allow extra time for negotiation. Eventually, out of infuriation, the Red Rabbit team posted the leaked data on the open web, which included a sample data set of 2.5 million subscribers as proof.
Rajaharia noted that the website containing the sample data set was taken down a few days ago and contained data majorly of Airtel’s subscribers in the Jammu and Kashmir region. However, if the leaked data was just a subset of the original data set, it could well mean that this is one of the biggest data leaks in India because Airtel has a subscriber base of nearly 327 million in the country.
An Earlier Instance
Around a year or two back, Airtel had accepted a security flaw in its mobile app’s API that allowed potential threat actors to fetch sensitive user information of any Airtel subscriber. Although Airtel quoted, “We’ve fixed it,” could this have led to the current data leak situation?
Related News:
