22 votes

After hack, personally identifiable information records of a large percentage of citizens of India for sale on the dark web. The hack includes biometric data

Posted by boxer_dogs_dance
Tags: security.cyber, india, data, data breaches, web.dark, hacking, biometrics, identification, aadhaar, source.resecurity
https://www.resecurity.com/blog/article/pii-belonging-to-indian-citizens-including-their-aadhaar-ids-offered-for-sale-on-the-dark-web

Link information

This data is scraped automatically and may be incorrect.

Title
PII Belonging to Indian Citizens, Including their Aadhaar IDs, Offered for Sale on the Dark Web
Published
Oct 15 2023
Word count
2264 words

6 comments

  1. [2]
    doogle
    Link
    This is why biometric authentication is flawed. If your password is compromised you can change your password, but if your fingerprint or FaceID is compromised..... good luck.

    This is why biometric authentication is flawed. If your password is compromised you can change your password, but if your fingerprint or FaceID is compromised..... good luck.

    14 votes
  2. [3]
    mild_takes
    Link
    Does $80,000 sound cheap for this amount/scale of data? I don't have a frame of reference for it but I thought it would be worth a few million.

    HUNTER investigators established contact with the threat actor and learned they were willing to sell the entire Aadhaar and Indian passport dataset for $80,000

    Does $80,000 sound cheap for this amount/scale of data? I don't have a frame of reference for it but I thought it would be worth a few million.

    3 votes
    1. [2]
      norb
      Link Parent
      I think the cost reflects the relatively unknown value of this type of data. What can you actually do with it? For a buyer that has the money to spend on it now, and then the time to sort through...

      I think the cost reflects the relatively unknown value of this type of data. What can you actually do with it? For a buyer that has the money to spend on it now, and then the time to sort through the data and find a way to use it profitably then it's probably a steal (think some sort of government funded attacker).

      For your typical cybercriminal who needs to get returns on their "investment" fairly quickly, this might be a crapshoot. That's why I think this price seems low. US SSNs go for more because there are direct returns to be made, through fake tax filings, opening credit, getting loans, etc. Biometric data might be less useful today.

      3 votes
      1. mild_takes
        Link Parent
        As far as criminals go, I wouldn't expect small time criminals to buy it, more big time people/vendors due to the scale. Then they'd parcel it out to the groups that actually do the fraud. It also...

        As far as criminals go, I wouldn't expect small time criminals to buy it, more big time people/vendors due to the scale. Then they'd parcel it out to the groups that actually do the fraud.

        Beyond digital payments, Aadhaars also enable e-tax filing, bill payments, and financial assets management, per the UIDAI brochure. Furthermore, Aadhaar has been “credited with making it easier for Indians to access subsidies and pension payments,” according to the Brookings report.

        It also says they're trying to link it up to voting.

        I'd say that it likely will have similar impacts to SSN's in the US just worth less money because of lower wealth in India.

        (think some sort of government funded attacker)

        Ya, I could see N. Korea buying this. I could also see other countries buying it up, or maybe political groups in India itself.

        At the end of the day (like a lot of things) its only worth what someone is willing to pay and I lack any frame of reference regarding what anyone would be willing to pay for this.

        3 votes