Data from 3.1 people leaked to TN PDS site, e-business says government denies
The data includes information such as Aadhaar cards, Makkal number, full name, father’s name, contact details, family details and more.
The data of 3.1 million people from Tamil Nadu’s Civil Supplies and Consumer Protection Department, which is data from the public distribution system, has been breached and is for sale on a hacker forum, according to the startup. of cybersecurity Technisanct. Earlier this week, on June 26, the website shown it had been “hacked by 1945VN”, and subsequently shown that it was in maintenance. Technisanct said the data included information such as Aadhaar cards, Makkal number, full name, father’s name, contact details, family details and more.
According to the TN PDS website, there are 6.8 crore of registered beneficiaries, with 2.13 crore of registered cell phone numbers and 6.76 crore of Aadhaar cards. Technisanct said that after discovering the breach, he contacted the government of Tamil Nadu, the Union government and CERT-IN, India’s nodal cybersecurity agency. Technisanct founder Nandakishore Harikumar said he had been informed that the government of Tamil Nadu had forwarded the report for further investigation.
Technisanct identified the threat on June 28, when the data of 52 lakh people was uploaded to the forum. Shortly after its installation, it was taken apart. Nandakishore said they assumed more data would be leaked, and the hacker was likely to expect a better price. The hacker allegedly tracked the data of 2.6 crore of people, leading to the exposure of data of more than 3.1 crore of people.
Speaking to TNM, Nandakishore said they evaluated data from the initial dump which contained information on around 50 lakh of people, and they were evaluating the second.
“Because this is a huge amount of data, we have to see how many Aadhaar cards are present, how much other individual information is present. In addition, the hacker claims that he has access to the entire dump, i.e. 1.9 TB of data. The PDS website itself states that there is data pertaining to 6.8 crores of Tamil Nadu citizens, ”he said.
Nandakishore said that in the downloaded data of 3.1 crore of people, they found 1.94 crore of Aadhaar card data.
“He might release the full 6.8 crore data in the near future. We also assume he has access to the servers so far, ”he added.
Nandakishore adds that when they initially evaluated the first 52 lakh, they found three lakh plus phone numbers. This disconnect, according to Nandakishore, is likely due to the fact that most of the beneficiaries could potentially be from rural areas and grab details at the ration store.
Officials from the Food and Consumer Affairs Department told The Hindu that the company that runs the same denied the hack. The report adds that the company told the government that only the homepage was downgraded and there was no violation. The report further added that officials said an audit would be carried out.
News18 further indicated that the matter would be addressed by Md. Nasimuddin IAS, Additional Chief Secretary of the Cooperation, Food and Consumer Protection Department.
Nandakishore wonders why an audit would be done if there was no violation.
Also, regarding questions if it was in fact TN PDS data, he said that they had accessed the schematic, and there was no doubt that it was not TN PDS. A schema is a description of the structure of the database, i.e. how it is constructed, the type of data, etc.
Srikanth L of Cashless Consumer, a consumer awareness collective, agrees. “By putting it [the data that was uploaded] in the context of the whole database and the fact that the site has indeed been degraded, it is quite possible that we probably will not have the ability to trust the denial. It falls flat. He showed data, ”he said.
Nandakumar says if the data of all citizens on the portal is breached, it represents a huge digital footprint of an individual and can be used for phishing.
“If I get a call from the government and the person tells me it’s your Aadhaar number, your Makkal number and it’s all your data and you just have to click on a link, it is possible that people are victims of phishing. because all the data you need to show yourself as an official is there, ”he says.
Srikanth says there have been comments about the amount of data that is already public information, as leaked on voter lists.
“While it can be argued that name, address, age are part of the publicly available voter lists and therefore might not be sensitive information, this PDS database contained the cell phone number, Aadhaar , date of birth, family relationships – all of which are sensitive information and could be used in a variety of ways to profile individuals, families and communities, ”he says.
“This could be used for voter profiling or creating credit profiles of all of the state’s demographics. Even if it is 20 million, it is a good part of the population of the state, ”he adds.
It comes as the state government attempts to create a state family database for e-governance, and has sought it to be the “one-stop source of truth on all of the details regarding families. state residents ”, and reviews the data that is complete and usable by all departments. This requires having a database that crosses departments and can only compound the ramifications of such a leak.
Nandakishore says all governments will also have other data and they need to make sure critical infrastructure is properly monitored and audited.
It is important to note that India does not yet have a personal data protection law and there is no mechanism in place on what governments or companies should do in the event of a breach.
Lily: Afraid of a data breach? Here’s how to protect your information online
Lily: Implications of the Domino data breach and how you can protect your data