This might very well be the biggest in the history of data breaches in India.
Reliance Jio customer data, comprising sensitive details of its 120 million users, including, as many have noted, their Aadhaar numbers, has been leaked online, and perhaps still remains in the black market of online data, where it’s sold to the highest bidder, and often leads to major cyber frauds.
A website named magicapk.com, which has been taken down at 11pm on July 9, posted the leaked Reliance Jio user identification data (or the Know Your Customer, KYC). The data remained online until Fonearena.com reported it after being informed of Jio numbers throwing up customer details when entered in the search engine of the website.
Screenshot of leaked Jio data. Image: Twitter.
Forearena.com’s editor Varun Krish himself was shocked to find his own Reliance Jio number being part of the treasure trove of mobile phone numbers with Jio SIM leaked online and available on magikapk.com, the now offline website.
The data that became available included personal details such as name, email id, circle, SIM activation date, and even Aadhaar numbers, according to Factordaily.com.
However, in its own counterchecking process, the online privacy website Medianama said that when it tried to see the results, Aadhaar numbers were redacted. However, it’s not clear if the Aadhaar redaction was specific to Medianama searches on magicapk.com, or if the website had altogether held back Aadhaar details, or had only selectively leaked the data synced to Reliance Jio SIMs.
Original fonearena story which is being relied upon by mainstream press asserts they traced three Aadhaar numbers. https://t.co/gWsgbfTkRC
— Apar (@aparatbar) July 10, 2017
Reliance Jio in denial
Of course, Reliance remains in deep denial about the matter of grave concern, as is evident in its nonchalant statement issued in the wake of the massive data breach. Casually brushing off the reports of the breach and the data obtained thereby as “unverified and unsubstantiated claims of the website”, Reliance Jio has nevertheless started a probe into the “contained” issue.
“We want to assure our subscribers that their data is safe and maintained with highest security. Data is only shared with authorities as per their requirement. We have informed law enforcement agencies about the claims of the website and will follow through to ensure strict action is taken,” a Jio spokesperson said according to the Indian Express.
What’s at stake here?
As reported by various tech and privacy websites, what’s at stake in the Jio data breach includes a number of things such as first name, second name, email, SIM activation date, circle, and even Aadhaar number in some cases. This is crucial because with this information, a SIM can be duplicated and misused. Emails can be hacked into and can be used for further cyberfrauds.
Jio's claim that the data in the leak appears unauthentic is bullshit. Multiple people, including me, have verified https://t.co/UlErjOtktf
— Nikhil Pahwa (@nixxin) July 10, 2017
But the biggest concern here is the fact that Jio SIM in most cases is Aadhaar-synced and the availability of the biometric UID, which is supposed to be completely confidential and is meant for authentication for almost every service in the country, whether government and commercial. This means that the floodgates of further data breach and privacy violations of Jio users have been duly opened.
Even though Aadhaar can be locked once synced with one’s mobile number, this is a hardly known fact and isn’t the case with most synced mobile numbers. Moreover, Jio hasn’t answered questions posed to it by Medianama, such as how is the data stored, whether it’s encrypted and the level of encryption, if Aadhaar number is used to only authenticate or is also stored as part of Jio database, how the data could have leaked, what is Jio planning to curb such leaks in future, who all have access to the unencrypted database, and so on.
We're still awaiting a response from Jio to these questions: Check Q's 3,4 and 7.https://t.co/UlErjOtktf pic.twitter.com/DZyL5W7eRP
— Nikhil Pahwa (@nixxin) July 10, 2017
‘Data privacy is a joke in India’
Not just the editor of Fonearena.com who himself became a victim of the latest breach in the data dyke of Reliance Jio, which, of course, is Aadhaar-synced, or activated via Aadhaar e-KYC, privacy activists in the country concur that “data privacy is a joke in India”.
Here is a big word. Goodnight. Your data sleeps safely in an air conditioned server farm. Why bother with the rule of law? In UIDAI we trust https://t.co/yHrl088ilK
— Apar (@aparatbar) July 9, 2017
The latest breach of Reliance Jio data, which has not in fact been plugged, but only one highly suspicious website hosting the illegally obtained data has been rendered unavailable, is an indication of the abysmal state of online security, escalation of cyber frauds at a time when the government and big corporations, especially telcos like Reliance Jio, want to connect everything to Aadhaar, and make the biometric UID the central connecting node to the very digital existence of citizens in the country.
I'll be the broken record and repeat for the 100th time:1. Aadhaar is predatory by design2. Aadhaar is a disaster of terrifying magnitude https://t.co/9ucNd2rzAP
— Abhinav Agarwal (@AbhinavAgarwal) July 9, 2017
The Jio data breach, unlike the instances of Aadhaar data leaking from government websites in states like Jharkhand, is a classic case of data theft, to be sold and resold in whole or parts to bidders and data miners, the various corporations and online marketing companies for whom data is the new oil.
The website magicapk.com was registered just two months ago, to an individual who hasn’t disclosed his identity when domain name rights is searched.
Where does this leave Jio users?
Despite an October 2015 Supreme Court order saying that telcos have no right to link Aadhaar with mobile numbers, it’s going unheeded like most SC orders on Aadhaar.
DoT, based on a (purposely?) flawed reading of a SC ruling has asked telcos to link mobiles to aadhaar. Means more Aadhaar data at risk
— Nikhil Pahwa (@nixxin) July 10, 2017
It is important to note a Constitution bench on October 2015 denied Mobile Aadhaar linking plea from TRAI. https://t.co/oOdSjQt4zC
— Anivar Aravind (@anivar) July 10, 2017
As the government goes on a rampage linking essential services like healthcare, PDS and ration, food supply for the poor, mid-day meals at government schools, enrollment in schools, hospitalisation, train ticket booking, and even bank accounts, to Aadhaar, the central question of the privacy activists is completely ignored.
I've been saying for a while: the Aadhaar data is too valuable, ecosystem too flawed and vulnerable, for it to survive the test of time
— Nikhil Pahwa (@nixxin) July 10, 2017
Govt, @UIDAI & @NandanNilekani keep treating people questioning Aadhaar ecosystem as enemies, instead of using inputs to modify and improve
— Nikhil Pahwa (@nixxin) July 10, 2017
The Aadhaar ecosystem, which has been thoroughly exposed as a leaky, fraud-prone extreme surveillance system that reduces citizens to transactional points and nothing more, suspending their fundamental rights to the will of an authoritarian regime, is a many-headed hydra.
Like Reliance Jio, which boasts of its fastest 100 million reach and tries to assure its users of ungodly data speeds, even though the reality is completely different, every other telco and commercial and governmental entities premised on Aadhaar, are vulnerable to cyber crimes.