Skip to content

Dark News: Data of Millions of Indian Consumers Up for Sale on Dark Web

Data from at least four Indian companies stolen in the most recent hack attacks.

NEW DELHI — The data of more than 100 million users of at least four Indian companies, all believed to have been breached by the same hacker, is being sold on the dark web.

The masked credit and debit card data stolen by a hacker possibly known as “ShinyHunters” was first revealed by Rajshekhar Rajharia, a cybersecurity researcher, through a tweet on Jan 3. Though the breach of payment app Juspay occurred five months ago, the company did not confirm the breach until Jan. 5.

Meanwhile, consumers have been left in the dark as to what to do.

“I use several apps that Juspay provides its services for. How do I even figure out if the hackers gained access to my bank data?” said Rishabh Ojha, a software engineer at Accenture India.

“Even if I were to know that my card data is being sold on the dark web, who do I hold accountable? There are different claims about the volume and type of information getting leaked. Dependency on digital payments has grown by leaps and bounds in the recent years, but the users have little or no awareness about the risks involved, the precautionary measures and the necessary steps to be taken in case of a fallout.”

Juspay, which processes payments for Amazon, Swiggy, MakeMyTrip and several other organizations, said only 35 million users were affected, with their masked card data and card fingerprint getting breached. A part of user metadata that had “non-anonymised, plain-text email IDs and phone numbers” was also compromised, it said.

“These reports claiming that data of 10 crores (100 million) cardholders’ was breached or ‘India’s largest breach’ is grossly inaccurate,” it said in a blog post. “All of the customers’ full card numbers, order information, card PINs, or passwords are secure. The compromised data does not contain any transaction or order information.”

However, screenshots shared by Rajharia show data dumps with names of the issuing bank, cardholder’s name, customer ID, expiration date, masked credit or debit card numbers, names, and customer and merchant account identification data have been leaked.

ShinyHunters was also found to be selling user data from three other firms — ClickIndia, Chqbook, WedMeGood, Rajharia said. ClickIndia is an advertising platform, Chqbook is a neobank for small business owners, and WedMeGood is a wedding planning firm.

BleepingComputer, a New York-based information security news outlet, reported on Dec. 30 about a data breach broker selling 368.8 million stolen user records from 26 companies, including some from India, on a hacker forum.

The site posted “a full list of companies whose alleged data is being sold, including the number of user records and whether they were previously disclosed.” The list includes Juspay (100 million users’ data); BigBasket, India’s largest online food and grocery store (20 million); ClickIndia (8 million); Chqbook (1 million); and WedMeGood (1.3 million).

ClickIndia, WedMeGood and Chqbook did not respond to requests for comment from Zenger News.

The data of over 220,000 residents of Jammu and Kashmir was put up for sale last week on the dark web.

“Over time, the cost of doing a cyber fraud in India has come down, while the revenue generated has gone up,” said Dhiraj Gupta, co-founder and chief technology officer of mFilterIt, a marketing ad fraud prevention platform. “First, the growing standardization of IT services with time — the use of same data servers, cloud architecture, web hosting services, etc. — has made it easier for fraudsters to coordinate attacks.

“Secondly, cybersecurity has always been considered by companies as good-to-have and not must-to-have. A lot of Indian companies do not have even the basic cybersecurity structure in place, making them vulnerable to attacks. Third, the growing digitalization has expanded our data resources, therefore, providing the hackers greater scope to make money.”

The pandemic may have a role in the increasing number of hack attacks. A survey by data protection firm Barracuda Networks in August found that about 66 percent of Indian companies had reported at least one data breach since shifting to a remote working model.

Other massive data breaches in 2020 included that of Prime Minister Narendra Modi’s website and Indian Railways’ online ticketing portal.

Codes running on a computer screen. (Markus Spiske/Unsplash)

In 2020, India recorded 375 cyber-attacks and 400,000 malware each day, National Cyber Security Coordinator Rajesh Pant said in November.

Thousands of fake websites related to Covid-19 sprang up during this period. The most common were fake versions of the flagship “PM CARES” payments interface that looked deceptively similar to the original. Officials at the Home Ministry said they received over 8,300 complaints from individuals across India who deposited thousands of dollars into fake accounts.

Other cyber frauds during this period involved Reliance Jio and Netflix discounts.

The latest is a Covid-19 vaccine registration scam, in which fraudsters call people and ask for their bank account details or direct cash transfer in exchange for Covid-19 vaccination enrollment. The Union Ministry’s cyber helpline warned against this scam in a tweet on Dec. 28.

“It’s about time India brings in a regulation like Europe’s GDPR compliance. This will help ensure citizens not only more privacy and control on their data, but also raise the cybersecurity bar in the country,” said Gupta, of mFilterIt.

The EU’s General Data Protection Regulation (GDPR) privacy and security law went into effect on May 25, 2018. It levies harsh fines on those who violate the privacy and security standards.

India’s Personal Data Protection Bill, Introduced in December 2019 by Ravi Shankar Prasad, Union minister for information technology, has not yet been approved by both houses of parliament. It aims to “protect personal data of individuals, establishes a Data Protection Authority for the same, and governs the processing of personal data by government and private companies — both Indian and foreign.”

(Edited by Namrata Acharya and Judith Isacoff. Map by Urvashi Makwana)

Recommended from our partners