In what appears to be a major security breach, the personal information of Reliance Jio subscribers, including Aadhaar numbers, was leaked to a website on Sunday. This is the latest in a slew of data breaches and online attacks that have exposed the weak state of India's cyber security.
If a Reliance Jio mobile number is keyed in on 'magicapk.com', it throws up details such as first name, second name, email ID, SIM activation date and time, as well as Aadhaar number, if the subscriber has used it as proof to get the connection.
"There is either a bug in Reliance Jio's system because of which data is getting leaked and a hacker is using it in the backend, or it could be a breach," Anand Prakash, one of the top ethical hackers in the country, told Mail Today.
Prakash, the founder of AppSecure India, said he had obtained data for five Jio numbers from 'magicapk.com'.
Another ethical hacker Kanishk Sajnani also said the website revealed information of the two Jio mobile numbers he tried.
However, multiple attempts may be required, he added. "We have come across the unverified and unsubstantiated claims of the website and are investigating it. Prima facie, the data appears to be unauthentic. We want to assure our subscribers that their data is safe and maintained with highest security," said Jio spokesperson.
The company said data is only shared with authorities as per their requirement. "We have informed law enforcement agencies about the claims of the website and will follow through to ensure strict action is taken," Jio added. The site in question was later suspended.
This may be the work of a hacke, Prakash said. "Or, the database may have been hacked completely. Reliance Jio's Application Programming Interface (API) may not have authentication," he added. In any app, the developers in the back-end put together all the data, explained Prakash.
"That's the API, the most crucial thing for an app. The next step is to display it aesthetically, which is what the User Interface (UI) team does by working on the API information," he added. Either way, the information is out in the public domain. "But the extent of the breach is not clear at this point,"said Prakash.
He said he has tried reaching out to Reliance Jio earlier as well about cyber security, but there was no response from the company.
The government has made it mandatory to link Aadhaar with PAN, a 10-digit alphanumeric issued by the income-tax department. Without linking, a taxpayer cannot file tax returns. Global cybersecurity expert and advocate Prashant Mali said privacy of clients when it comes to Aadhaar details should remain top priority.
"If the leak further reveals financial data, then one can file for damages and compensation against the company for not following reasonable security practices to protect customer data," he pointed out. For instance, if Aadhaar is linked to PAN and financial details are revealed because of this people can start filing class action suits for damages.
"Any company responsible for Aadhaar leakage gets exposed to a huge financial legal risk," he said. A class action suit is one where people with same or similar injuries caused by the same product or action can sue the company as a group. Billionaire Mukesh Ambani-owned Reliance Jio, the latest entrant in the telecom sector, had 108.9 million subscribers as of March 2017, within six months of its launch.
The country's total telephone subscriber base was 1,194.58 million as of March 2017. Jio's subscribers have spiked after its debut in October, when it offered free SIM cards and unlimited 4G internet. However, the rate at which it added new subscribers declined in April. On March 31, it began paid service.
In association with Mail Today