Not only is India a large tech-hub, but it is also one of the largest growing cyberattacks' destination. Mr Rajesh Pant, who took over the role of India’s cybersecurity chief, said that every day, 4 lakh malware is found and 375 cyber-attacks are witnessed. Raising the concern, he added that apart from falling prey to voice call frauds, people should also exercise caution about click-baits. These click baits extract information from an internet user. Yet, when a massive data breach happens in an organisation, we cannot blame an individual.
Take, for example, the massive breach at FireEye today. FireEye, one of the world largest security firms, said today it was hacked and that a "highly sophisticated threat actor" accessed its internal network and stole hacking tools FireEye uses to test the networks of its customers. It is still unclear on how the hack happened, or which software the hack affected. FireEye still even does not know when the intrusion occurred and what is the attackers motive. But, it has quickly taken to address the news.
Data is becoming more valuable by the day. Thus, for crooks looking for a quick buck, a data breach is the easiest route to billions. Yet, hackers are not behind every data breach. Sometimes, loopholes and unprotected servers give bad actors access without even having to break-in. Thus, here are some of the biggest data breaches of 2019 and 2020 (from most recent to latest) that affected users in India.
1. WhiteHat Jr
Date: November 2020
Impact: 0.3 million students
Edtech startup WhiteHat Jr has found itself in one too many controversies recently. First, the defamation that it has filed and then the bug in its system. The bug in the system made the data of over 2.8 lakh students vulnerable to hackers. On November 25, the Quint quoted a security researcher who reported the bug to WhiteHat Jr. He said, "I found that the personal data of over 2.80 lakh students including names of their parents were lying exposed due to a vulnerability on the company's server-side."
The company reported no data leak and said that it fixed all vulnerabilities within 24 hours. The same security researcher later reported that the company had restricted its AS servers.
2. BigBasket
Date: October 2020
Impact: 20 million user accounts
Cybersecurity firm Cyble reported that the user data of online grocery platform BigBasket is for sale in an online cybercrime market. It contained the personal information of close to 20 million users for INR 3M. The data included names, email IDs, password hashes, PINs, mobile numbers, addresses, dates of birth, locations, and IP addresses.
BigBasket also admitted that a data breach had happened. While BigBasket had said it was evaluating the data breach, there has been no update on the same.
3. Edureka
Date: September 2020
Impact: 2 million students
Another edtech startup Edureka had suffered a data breach in September 2020. The startup allegedly left a server exposed without any password protection that put the personal data of its users at risk. This meant that mere knowledge of the server’s IP address provided unfettered access to a part of the company’s database. This included user names, email addresses, phone numbers, login activity records, on Amazon servers hosted in the US.
SafetyDetectives’ security research team led by Anurag Sen found more than 45 million breached records totalling to more than 25 gigabytes including email addresses, full names, and phone numbers, although some of these records could be duplicate records. A spokesperson from Edureka confirmed the data breach on its servers. But they denied the exposure of sensitive personal information of its users.
4. Dunzo
Date: July 2020
Impact: 3.4 Million Users
Earlier in July, Dunzo confirmed a massive data breach and exposure of personal information of users such as the mobile number and email address. Dunzo also explained that affected information included details such as the last known location, phone type, last login dates. The company further found that the database also contained advertising-related attributes including a few specific PII — device info, last known IP address, and advertising id.
Dunzo did not give an exact number on the data breach. But, according to haveibeenpwned website, the data breach affected 3,465,259 user accounts.
5. Unacademy
Date: May 2020
Impact: 22 million users
Unacademy is one of the most popular online educational platforms in India. The edtech unicorn suffered a major security breach that led to the exposure of data of around 20 million of its subscribers. Cybersecurity firm Cyble exposed the data breach like it had discovered the security scare at Zoom. It, further, informed that the threat actor had begun to sell an Unacademy user database containing 20 million accounts for $2,000.
Confirming the data breach, Hemesh Singh, co-founder and CTO of Unacademy, however, claimed that the breach affected only 11 million users date and no passwords.
6. KKNPP and ISRO
Date: October 2019
Impact: On October 20th, 2019, authorities in India confirmed that one of its nuclear power plants had been hacked. The malware attack on the Kudankulam Nuclear Power Plant (KKNPP) happened on September 4th. It said that the North Korean state-sponsored threat group, Lazarus was behind the attack. While the malware did not target critical control systems--instead infecting a network used for administrative purposes--the attack highlights the potential for a catastrophic attack.
The infected computer belonged to a user who was connected “in the Internet-connected network used for administrative purposes,” an NPCIL official said. “Investigation also confirms that the plant systems are not affected.”
7. Healthcare data breach
Date: August 2019
Impact: 6.8 million users
Enterprise security firm FireEye revealed that hackers have stolen information about 68 lakh patients and doctors from a health care website based in India. FireEye said that Chinese hacker group, Fallensky519, perpetrated the attack. Furthermore, it said healthcare records were up for sale on the dark web – for even less than 2000$.
8. JustDial
Date: April 2019
Impact: 100 million users
Justdial is a company that provides local search for different services in India over voice calls and internet. It suffered a data breach that compromised the personal details of 100 million users. Independent cyber-security researcher Rajshekhar Rajaharia reported the leak. He also said that the company was not been able to fix the breach. Also, he told that the breach did not affect a newer version of the website, but the attack put at risk data of users who called on the older website.
Apparently, the breach happened because some of its application program interface (APIs) endpoints had remained unprotected over the years. These allowed anyone online to view the profile information of over 100 million users including their mobile numbers and addresses. The report also noted that these API were able to fetch the personal information of newly registered users in real time.
9. SBI
Date: January 2019
Impact: 3 million users
SBI left one of its servers unprotected which exposed the data of its 422 million customers. The server, situated in Mumbai, contained partial bank account numbers, bank balances and phones of individual using the bank’s SBI Quick service.
10. Aadhar data leak
Date: 2019
Impact: Over 1 billion
One of the web systems in Jharkhand, that recorded attendance of government workers was left exposed. It was without a password as far back as 2014, thus, allowing anyone access to names, job titles, and partial phone numbers.
"The largest was in India, where the government ID database, Aadhaar, reportedly suffered multiple breaches that potentially compromised the records of all 1.1 billion registered citizens. It also reported in January, that criminals were selling access to the database at a rate of 500 rupees for 10 minutes. Meanwhile in March, a leak at a state-owned utility company allowed anyone to download names and ID numbers," stated the World Economic Forum's Global Risks Report 2019 talking about major data breaches in the world.