THE DIPLOMAT

APLN member Rajeswari Pillai Rajagopalan writes for the Diplomat on India’s growing cyber vulnerabilities. She argues that unless India makes cybersecurity and security of information and data a priority, the consequences will be severe. Read the original article here.

India has been pushing its Digital Public Infrastructure (DPI) initiatives within the region and globally, most recently during India’s G-20 presidency. India made important advances in DPI during the COVID-19 pandemic. Some of the notable DPI initiatives include a digital national ID (Aadhaar) as well as a payment infrastructure through the Unified Payments Interface (UPI), which is an instant payment system developed by India indigenously.

However, with the extensive digital networks that India has managed to create, one major concern is the security of that data. There have been repeated reports that inspire deep concern about the security of India’s digital infrastructure.

A few days ago, Indian media reported that an American cybersecurity firm, Resecurity, had revealed an alarming cybersecurity incident in which the personal information of more than 800 million Indian citizens was put up for sale on the dark web. This appears to have been one of the worst data breaches that India has ever experienced. It goes without saying that this incident yet again brings out the urgent need for India to augment its cyber security measures. Resecurity now says that the post on the dark web has been removed, though a cached version still remains available.

Quoting Resecurity reports, Indian media reports stated that the compromised data includes names, phone numbers, addresses, Aadhaar details, and passport information, all of which was apparently available for sale. The cybersecurity firm’s HUMINT (human intelligence) division, HUNTER, said after contact with the perpetrator that they are “willing to sell [the] entire Aadhaar and Indian passport database for $80,000.”

The perpetrator reportedly goes by the name, “pwn0001.” Through a blog post, the perpetrator revealed that “the data had originated from a government system.” It is not clear if that the data breach happened from a third party that collects a lot of data for Know Your Customer (KYC) purposes. The loss of such data has severe consequences, with the perpetrators able to engage in any number of financial scams, possible identity thefts for financial purposes or otherwise. Loss of Indian Personally Identifiable Information (PII) data enhances these two threats.

According to media reports, the Central Bureau of Investigation (CBI) is investigating the case. There is also suspicion that the data breach may have taken place in the Indian Council of Medical Research (ICMR) database. In fact, on October 15, Resecurity’s HUNTER put out a blog post about the threat actor, who had “advertised the sale of 815 million Indian Citizen Aadhaar and Passport records on Breach Forums.” The threat actor reportedly claimed to have gotten ahold of the data from the ICMR. The blog post further noted, “Concurrently, pwn0001 shared spreadsheets containing four large leak samples with fragments of Aadhaar data as proof. One of the leaked samples contains 100,000 records of PII related to Indian residents.”

This is not the first time that India is dealing with a major cybersecurity incident.

In November last year, one of India’s premier hospitals, the All India Institute of Medical Science (AIIMS), was subject to a ransomware attack. The attack crippled “outpatient and inpatient digital hospital services, including smart lab, billing, report generation, appointment scheduling.” Ransomware attacks are cyberattacks where the attacker penetrates computer systems and locks them down, preventing the original owner from accessing the system, and asks for a ransom payment to be made to return access. It was reported that the perpetrators of the AIIMS cyberattack had demanded ransom, although the Delhi Police denied it.

Ransomware attacks have seen an uptick in recent years. According to the Indian Computer Emergency Response Team (CERT-IN)’s India Ransomware Report 2022, there has been a 53 percent hike in the number of ransomware attacks in several sectors including critical infrastructure. There was also another ransomware attack on AIIMS website in June 2023, but the attack was reportedly thwarted and neutralized promptly.

In June, there were also reports about a data breach in which personal data of vaccinated citizens from the CoWin website, an Indian government web portal for COVID-19 vaccination registration, were allegedly revealed on the Telegram messenger app. However, the government strongly denied the report. In fact, Minister of State for Electronics and Information Technology Rajeev Chandrasekhar said that the data that the bot appears to be using are old stolen data from other databases and not CoWin.

These are merely a few incidents, but what they demonstrate is the innate weaknesses in India’s digital and cyber infrastructure. According to the latest report from Microsoft, India ranks within the top five in terms of the number of cyberattacks. The report noted that India is targeted by 13 percent of cyberattacks in the broader Asia-Pacific region, making it one of the top three most attacked countries. Another report, from Surfshark, puts India at number two position in the world (as of 2022) in terms of “the number of data breach cyber-attacks on its enterprises and ranks 14th globally in average data breach costs.”

This is not a comprehensive listing of the cyberattacks on India but establishes that India continues to face vulnerabilities across multiple sectors, including health, fintech, and banking. Alongside the pandemic, New Delhi’s embrace of digital technologies picked up pace and this has increased the vulnerabilities India faces. CloudSEK, an AI company that has been monitoring cyber threats, in a recent report highlighted “a money laundering scheme that exploits India’s Unified Payments Interface (UPI), revealing a web of deceit with real consequences for unsuspecting victims.”

With India’s embrace of DPI and broader digitalization, it has to have a cybersecurity-first attitude, without which there could be large scale data theft, with personal as well as financial implications. But a recent report from ISACA said that “forty percent of Indian cybersecurity teams are understaffed.” The report also revealed that there is a shortage of skillsets including “soft skills, cloud computing and security controls” both in India and across the globe. Unless India makes cyber security and security of information and data a priority, the consequences will be severe.