India's biggest data breach? Hacking gang claims to have stolen 815 million people's personal information

The personal information of more than 815 million people in India has reportedly been leaked online.

According to local media reports, hackers have offered for sale the personally identifiable information (PII) - including that found on Aadhaar identity cards - belonging to hundreds of millions of Indian residents.

A threat actor calling themselves "pwn0001" posted on the Breach Forums black hat hacking site said that they had the records of 815 million people available, including Aadhaar and passport information, names, phone numbers, and addresses.

According to pwn0001, the data was exfiltrated from information submitted by Indian residents to the Indian Council of Medical Research (ICMR) when they had Covid-19 tests, although the ICMR has not confirmed it has been breached.

Analysts at Resecurity made contact with pwn0001, who told them that they were willing to sell the passport data for US $80,000.

At the same time, the threat actor shared spreadsheets containing large samples of over 100,000 stolen Aadhaar records in order to corroborate their claims of a data breach.

An analysis by the experts at Resecurity confirmed that the Aadhaar card IDs were authentic.

The news of what is claimed to be such a significant data leak couldn't come at a worse time for the Indian authorities.

In September, security researcher Sourajeet Majumder uncovered a vulnerability on an Indian government website that had unwittingly leaked documents which included Aadhaar numbers, identity card details and even copies of residents' fingerprints.

By mid-October the website flaw had been fixed, thanks to Majumder's responsible disclosure. But it is, of course, possible that fraudsters and online criminals had been able to exploit it for nefarious purposes beforehand.

If data breaches like these keep happening, it's understandable why many people will feel increasingly reluctant to trust the authorities with their personally identifiable and biometric data.

You can change a password, and you can change your bank account. Hey, you can even change your name if you really feel you have to. But good luck changing your fingerprints.