The biggest data breaches in India (2023)

News

CSO Online tracks recent major data breaches in India.

By Soumik Ghosh

Senior Writer, CSO |

The biggest data breaches in India (2)

Over 313,000 cybersecurity incidents were reported in 2019 alone, accordingto the Indian Computer Emergency Response Team (CERT-In), the government agency responsible for tracking and responding to cybersecurity threats.

Here, we take a look at some of the biggest recent cybersecurity attacks and data breaches in India.

Air India data breach highlights third-party risk

Date:May 2021

(Video) The Biggest Data Breaches That Made Headlines in 2020.

Impact: personal data of 4.5 million passengers worldwide

Details: A cyberattack on systems at airline data service provider SITA resulted in the leaking of personal data of of passengers of Air India. The leaked data was collected between August 2011 and February 2021, when SITA informed the airline. Passengers didn't hear about it until March, and had to wait until May to learn full details of what had happened.The cyber-attack on SITA’s passenger service system also affected Singapore Airlines, Lufthansa, Malaysia Airlines and Cathay Pacific.

CAT burglar strikes again: 190,000 applicants’ details leaked to dark web

Date:May 2021

Impact:190,000 CAT applicants’ personal details

Details:The personally identifiable information (PII) and test results of 190,000 candidates for the 2020 Common Admission Test, used to select applicants to the Indian Institutes of Management (IIMs), were leaked and put up for sale on a cybercrime forum. Names, dates of birth, email IDs, mobile numbers, address information, candidates’ 10th and 12th grade results, details of their bachelor’s degrees, and their CAT percentile scores were all revealed in the leaked database.

The data came from theCAT examination conducted on 29 November 2020 but according to security intelligence firm CloudSEK, the same thread actor also leakedthe 2019 CAT examination database.

Hacker delivers 180 million Domino’s India pizza orders to dark web

Date: April 2021

Impact: 1 million credit card records and 180 million pizza preferences

Details: 180 million Domino’s India pizza orders are up for sale on the dark web, according to Alon Gal, CTO of cyber intelligence firm Hudson Rock.

Gal found someone asking for 10 bitcoin (roughly $535,000 or₹4 crore) for 13TB of data that they said included 1 million credit card records and details of 180 million Dominos India pizza orders, topped with customers’ names, phone numbers, and email addresses.Gal shared a screenshot showing that the hacker also claimed to have details of the Domino’s India’s 250 employees, including their Outlook mail archives dating back to 2015.

JubilantFoodWorks, the parent company of Domino’s India, told IANS that it had experienced an information security incident, but denied that its customers’ financial information was compromised, as it does not store credit card details.The company website shows that it uses a third-party payment gateway, PayTM.

Trading platform Upstox resets passwords after breach report

Date: April 2021

Impact: All Upstox customers had their passwords reset

Details: Indian trading platform Upstox has openly acknowledged a breach of know-your-customer (KYC) data. Gathered by financial services companies to confirm the identity of their customers and prevent fraud or money laundering, KYC data can also be used by hackers to commit identity theft.

On April 11, Upstox told customers it would reset their passwords and take other precautions after it received emails warning that contact data and KYC details held in a third-party data warehouse may have been compromised.

Upstox apologised to customers for the inconvenience, and sought to reassure them it had reported the incident to the relevant authorities, enhanced security and boosted its bug bounty program to encourage ethical hackers to stress-test its systems.

(Video) Biggest Data Breach in China | India’s Safety Plan | Cybersecurity | UPSC GS Paper 3

Police exam database with information on 500,000 candidates goes up for sale

Date: February 2021

Impact: 500,000 Indian police personnel

Details: Personally identifiable information of 500,000 Indian police personnel was put up for sale on a database sharing forum. Threat intelligence firm CloudSEK traced the data back to a police exam conducted on 22 December, 2019.

The seller shared a sample of the data dump with the information of 10,000 exam candidates with CloudSEK. The information shared by the company shows that the leaked information contained full names, mobile numbers, email IDs, dates of birth, FIR records and criminal history of the exam candidates.

Further analysis revealed that a majority of the leaked data belonged to candidates from Bihar. The threat-intel firm was also able to confirm the authenticity of the breach by matching mobile numbers with candidates’ names.

This is the second instance of army or police workforce data being leaked online this year. In February, hackers isolated the information of army personnel in Jammu and Kashmir and posted that database on a public website.

COVID-19 test results of Indian patients leaked online

Date: January 2021

Impact: At least 1500 Indian citizens (real-time number estimated to be higher)

Details: COVID-19 lab test results of thousands of Indian patients have been leaked online by government websites.

What’s particularly worrisome is that the leaked data hasn’t been put up for sale in dark web forums, but is publicly accessible owing to Google indexing COVID-19 lab test reports.

First reported by BleepingComputer, the leaked PDF reports that showed up on Google were hosted on government agencies’ websites that typically use *.gov.in and *.nic.in domains. The agencies in question were found to be located in New Delhi.

The leaked information included patients’ full names, dates of birth, testing dates and centers in which the tests were held. Furthermore, the URL structures indicated that the reports were hosted on the same CMS system that government entities typically use for posting publicly accessible documents.

Niamh Muldoon, senior director of trust and security at OneLogin said: “What we are seeing here is a failure to educate and enable employees to make informed decisions on how to design, build, test and access software and platforms that process and store sensitive information such as patient records.”

He added that the government ought to take quick measures to reduce the risk of a similar breach from reoccurring and invest in a comprehensive information security program in partnership with trusted security platform providers.

User data from Juspay for sale on dark web

Date: January 2021

Impact: 35 million user accounts

(Video) Air India Data Breach - Cyberattack leaks personal information of 45 lakh Air India passengers

Details:Details ofclose to 35 million customer accounts, including masked card data and card fingerprints, were taken from a server using an unrecycled access key, Juspay revealed in early January. The theft took place last August, it said.

The user data is up for sale on the dark web for around $5000, according to independent cybersecurity researcherRajshekhar Rajaharia.

BigBasket user data for sale online

Date: October 2020

Impact: 20 million user accounts

Details:User data from online grocery platform BigBasket is for sale in an online cybercrime market, according to Atlanta-based cyber intelligence firm Cyble.

Part of a database containing the personal information of close to 20 million users was available with a price tag of 3 million rupees ($40,000), Cyble said on November 7.

The data comprised names, email IDs, password hashes, PINs, mobile numbers, addresses, dates of birth, locations, and IP addresses. Cyble said it found the data on October 30, and after comparing it with BigBasket users’ information to validate it, reported the apparent breach to BigBasket on November 1.

Unacademy learns lesson about security

Date: May 2020

Impact: 22 million user accounts

Details:Edutech startup Unacademy disclosed a data breach that compromised the accounts of 22 million users. Cybersecurity firm Cyble revealed that usernames, emails addresses and passwords were put up for sale on the dark web.

Founded in 2015, Unacademy is backed by investors including Facebook,Sequoia India and Blume Ventures.

Hackers steal healthcare records of 6.8 million Indian citizens

Date: August 2019

Impact: 68 lakh patient and doctor records

Details: Enterprise security firm FireEye revealed that hackers have stolen information about 68 lakh patients and doctors from a health care website based in India. FireEye said the hack was perpetrated by a Chinese hacker group called Fallensky519.

Furthermore, it was revealed that healthcare records were being sold on the dark web – several being available for under USD 2000.

Local search provider JustDial exposes data of 10 crore users

Date: April 2019

(Video) [Kannada] Biggest Data Breaches in India 2021

Impact: personal data of 10 crore users released

Details:Local search service JustDial faced a data breach on Wednesday, with data of more than 100 million users made publicly available, including their names, email ids, mobile numbers, gender, date of birth and addresses, an independent security researcher said in a Facebook post.

SBI data breach leaks account details of millions of customers

Date: January 2019

Impact: three million text messages sent to customers divulged

Details:An anonymous security researcher revealed that the country’s largest bank, State Bank of India, left a server unprotected by failing to secure it with a password.

The vulnerability was revealed to originate from ‘SBI Quick’ – a free service that provided customers with their account balance and recent transactions over SMS. Close to three million text messages were sent out to customers.

Related:

  • Security
  • Data Breach
  • Cyberattacks
  • Vulnerabilities

Soumik Ghosh writes for CSO India and CIO India.

Follow

Copyright © 2021 IDG Communications, Inc.

FAQs

What was the largest data breach? ›

Data breached: 3 billion user accounts

According to data breach statistics, the largest data breach in history is the one that Yahoo! suffered for several years. Not only is it the biggest breach according to the number of affected users, but it also feels like the most massive one because of all the headlines.

What are the 4 common causes of data breaches? ›

Here's a short list of major causes for data breaches:
  • Cause #1: Old, Unpatched Security Vulnerabilities. ...
  • Cause #2: Human Error. ...
  • Cause #3: Malware. ...
  • Cause #4: Insider Misuse. ...
  • Cause #5: Physical Theft of a Data-Carrying Device.

What is the largest data privacy breach till date? ›

Top 10 most significant data breaches
  • Yahoo data breach (2013)
  • First American Financial Corporation data breach (2019)
  • Adult FriendFinder Networks data breach (2016)
  • Facebook data breach (2019)
  • Target data breach (2013)
  • MySpace data breach (2013)
  • LinkedIn data breach (2012)
  • Adobe data breach (2013)
14 Sept 2022

What was the first data breach? ›

What was the first data breach? 2005 is the year of the first data breach to compromise more than 1 million records (DSW Shoe Warehouse; March 2005; 1.4 million credit card numbers and names on those accounts).

What are the top 5 security breaches in 2022? ›

Top 10 Data Breaches So Far in 2022
  1. Crypto.com Crypto Theft. The attack took place on January 17th and targeted nearly 500 people's cryptocurrency wallets. ...
  2. Microsoft Data Breach. ...
  3. 3. News Corp Server Breach. ...
  4. Red Cross Data Breach. ...
  5. Ronin Crypto Theft. ...
  6. FlexBooker Data Breach. ...
  7. GiveSendGo Political Data Breach. ...
  8. Cash App Data Breach.
12 Oct 2022

Which company has largest data breach? ›

Top 20 Biggest Data Breaches in US History
  • Equifax. Date: September 2017. ...
  • Target. Date: November 2013. ...
  • Heartland Payment Systems. Date: May 2008. ...
  • Exactis. Date: June 2018. ...
  • Capital One. Date: July 2019. ...
  • Dubsmash. Date: December 2018. ...
  • Deep Root Analytics. Date: June 2017. ...
  • Zynga. Date: September 2019. Impact: 218 million users.
5 Aug 2022

What is an example of a data breach? ›

Examples of a breach might include: loss or theft of hard copy notes, USB drives, computers or mobile devices. an unauthorised person gaining access to your laptop, email account or computer network. sending an email with personal data to the wrong person.

Which company has the largest data breach in history? ›

The 10 biggest data breaches of all time
  • 1) Yahoo. Date: August 2013. ...
  • 2) Marriott Hotels. Date: November 2018. ...
  • 3) FriendFinder Network. Date: November 2016. ...
  • 4) MySpace. Date: May 2016. ...
  • 5) Twitter. Date: May 2018. ...
  • 6) Deep Root Analytics. Date: June 2017. ...
  • 7) MyFitnessPal / Under Armour. Date: February 2018. ...
  • 8) eBay.

Why do hackers hack? ›

Hacking refers to activities that seek to compromise digital devices, such as computers, smartphones, tablets, and even entire networks. Hackers are motivated by personal gain, to make a statement, or just because they can.

How do passwords get leaked? ›

Cybercriminals use special malicious programs to gain access to financial services or simply steal information - through phishing websites, Wi-Fi traffic data interceptions, or attacks on company servers holding confidential user data. These are just a few of the many prevailing techniques used by cybercriminals today.

What happens if you hack Google? ›

Google hacking search queries can be used to identify security vulnerabilities in web applications, gather information for arbitrary or individual targets, discover error messages disclosing sensitive information, discover files containing credentials and other sensitive data.

What is the biggest impact of security breaches? ›

The long-term consequences: Loss of trust and diminished reputation. Perhaps the biggest long-term consequence of a data breach is the loss of customer trust. Your customers share their sensitive information with businesses like yours assuming that you'll have the proper security measures in place to protect their data ...

What companies had data breaches 2022? ›

Apple, Meta, Twitter, and Samsung have all disclosed cybersecurity attacks this year. We track the latest data breaches. Data breaches have been on the rise for a number of years, and sadly, 2022 has been littered with thefts of sensitive information.

Which company has largest data breach? ›

Top 20 Biggest Data Breaches in US History
  • Equifax. Date: September 2017. ...
  • Target. Date: November 2013. ...
  • Heartland Payment Systems. Date: May 2008. ...
  • Exactis. Date: June 2018. ...
  • Capital One. Date: July 2019. ...
  • Dubsmash. Date: December 2018. ...
  • Deep Root Analytics. Date: June 2017. ...
  • Zynga. Date: September 2019. Impact: 218 million users.
5 Aug 2022

What are examples of data breaches? ›

Examples of a breach might include: loss or theft of hard copy notes, USB drives, computers or mobile devices. an unauthorised person gaining access to your laptop, email account or computer network. sending an email with personal data to the wrong person.

What are some current data breaches that have occurred? ›

Recent Data Breaches – October 2022
  • September 2022: Kiwi Farms Breached. ...
  • September 2022: American Airlines Discloses Data Breach. ...
  • September 2022: Hacker Breaches Rockstar Games, Leaks GTA6 Footage. ...
  • September 2022: Lapsus$-Affiliated Hacker Compromises Uber.
3 Oct 2022

What company has been hacked recently? ›

1. Uber: September 2022. One of the largest companies in the world, Uber, discovered they were hacked in mid-September after the hacker announced in the companies Slack organization “I am a hacker and Uber has suffered a data breach” followed by several emojis.

Videos

1. Biggest Data Leaks In India
(Fusion Tech)
2. 5 of the biggest data breaches ever
(CNN Business)
3. [Webinar] Biggest Data Breach of 2021 | Network Intelligence
(Network Intelligence)
4. Jio Subscribers Data Leaked, Database Available online, Biggest data breach in India?
(Akshay)
5. Dominos & Air India Data Leaked Biggest data Breach | How to Protect your Data? Explained
(First Trending)
6. Dominos & Air India Data Leaked! | How to Protect your Data? | Dhruv Rathee
(Dhruv Rathee)
Top Articles
Latest Posts
Article information

Author: Maia Crooks Jr

Last Updated: 11/14/2022

Views: 6376

Rating: 4.2 / 5 (63 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Maia Crooks Jr

Birthday: 1997-09-21

Address: 93119 Joseph Street, Peggyfurt, NC 11582

Phone: +2983088926881

Job: Principal Design Liaison

Hobby: Web surfing, Skiing, role-playing games, Sketching, Polo, Sewing, Genealogy

Introduction: My name is Maia Crooks Jr, I am a homely, joyous, shiny, successful, hilarious, thoughtful, joyous person who loves writing and wants to share my knowledge and understanding with you.