The personal data of 7 Mn Indian credit card and debit card users has been leaked on the dark web this month.
Screenshots of the leaked data reveal that the database, sized 2 GB, which is on a public Google Drive link, includes cardholders’ names, phone numbers, email addresses, names of employer firms, annual incomes, types of accounts and whether they have switched on mobile alerts or not. Further, the leaked database also includes the PAN numbers for 5 Lakh cardholders.
The leaked data is from the period between 2010 and 2019.
According to cybersecurity researcher Rajshekhar Rajaharia, who alerted Inc42 about the development, the leaked data can be used by cybercriminals for spam messages and phishing attacks.
The name of the cardholders’ employer firm would help cybercriminals tailor their spam SMSes and emails to suit the target user.
While it was not possible to verify whether the leaked data for 7 Mn users is genuine or not, Inc42 and Rajaharia have verified the same for at least some users.
Queries to the Indian Computer Emergency Response Team (CERT-In) about the data leak didn’t yield response by the time of publication.
It is worth noting that there is little in common among the cardholders whose data has been leaked. The leaked database consists of cardholders employed with companies such as Axis Bank, Bharat Heavy Electricals Limited, Kellogg India Private Limited and Mckinsey and Company, among several others, with annual incomes ranging from INR 7 Lakhs to more than INR 35 Lakhs.
The data leak is just the latest in a string of such cyber attacks, impacting millions of Indian users.
Cybersecurity experts Inc42 has spoken to in the past, mentioned that cyber attacks have certainly risen this year, mostly due to several enterprises adopting work from home processes and handling larger amounts of data amid the pandemic.
A survey conducted by the security firm Barracuda Networks, a California based leader in the field of data protection, revealed that about 66% Indian companies reported at least one data breach since the shift to the work-from-home model this year due to the countrywide lockdown that was put in place starting March 24, 2020, to contain the spread of the pandemic.
Further, phishing campaigns targeting users en masse with claims such as “Free Covid Tests” have been doing the rounds.
The Fraud and Risk Management in Digital Payments report by the Data Security Council of India (DSCI) also talks about increased numbers for web-skimming, malware campaigns and phishing scams amid the Covid-19 pandemic.
The growth in cyber attacks comes at a time when digitisation of the Indian economy is predicted to result in a $435 Bn opportunity by 2025.
Cyber Attacks On Indian Platforms
Recent months have seen several Indian companies, such as Google-backed hyperlocal delivery platform Dunzo, online grocery delivery service BigBasket, popular India food manufacturing company and restaurant chain owner Haldirams, Indian edtech platform Edureka, online travel marketplace RailYatri and even the personal website of Prime Minister Narendra Modi suffer cyber attacks, with the data on these websites being subsequently leaked on the dark web, where it was available for purchase.
Last month, users’ data from Info Edge-owned jobs portal iimjobs.com had been leaked on the dark web.