The Cyberabad Police in Hyderabad, on April 1, made arrests in a cybercrime involving the stealing, holding and selling personal and confidential data of 66.9 crore individuals and organisations belonging to 24 states and eight metropolitan cities. The details of this major data breach was tweeted by the police.
According to the police, the accused was operating through a website called 'InspireWebz' based in Faridabad, Haryana, and was selling the database to clients. The data involved those of ed-tech organisations such as Byjus and Vedantu, major organisations like GST, road transport organisations of various states, Netflix, Amazon and online payment apps like PhonePe and Paytm.
How was the theft unearthed?
Speaking to Decode, Cyberabad Police ACP Shyam Babu explained the genesis of the case. "While doing a routine surfing online, a person was shocked to see all his personal information on an open-source website. He immediately lodged a complaint with the Cyberabad cyber crime police prompting them to register a case in the issue," he said.
Ten days before this, the police had detained and questioned 16 suspects in a case involving similar data theft. "The accused spilled the beans, leading the police to the primary suspect in the nation's biggest data theft case. Personal information of 66.9 crore people from 24 states and 8 major cities, including 2.55 lakh defence ministry employees from the Delhi-NCR region has been stolen," Babu added.
In addition to this, the accused, Vinay Bharadwaj also possessed personal data of 1.26 lakh NRIs and 5 lakh High Net Worth Individuals (HNI). Bharadwaj was picked up by the police in Haryana. Two mobile phones and two laptops were seized during the arrest.
Where was the data stolen from?
In the rightly called 'biggest' data theft, the accused possessed the data of 1.84 lakh cab users from 8 metro cities and data of 4.5 lakh salaried employees from 6 cities and the state of Gujarat. Further, he also held customer data of major organisations like GST (Pan India), RTO (Pan India), Amazon, Netflix, Youtube, Paytm, PhonePe, Big Basket, BookMyShow, Instagram, Zomato, Policy Bazar, Upstox, among others, according to the press release.
Some of the important data held by the accused included the data of defence personnel, government employees, PAN card holders, students data of 9th, 10th, 11 and 12th standard, senior citizens, Delhi electricity consumers, D-MAT account holders, mobile numbers of various individuals, students appearing for medical entrance test NEET, High Net worth Individuals, insurance holders, credit card and debit card holders.
According to the press release issued by the Cyberabad police, the accused was based out of an office in Faridabad, Haryana and collected databases from Amer Sohail and Madan Gopal, which he resold to fraudsters for profits.
The highest number of categories of data found with the accused belonged to Uttar Pradesh which tallied to 21.39 crore. This was followed by Maharashtra (4.5 crore), Delhi (2.7 crore), Andhra Pradesh (2.1 crore) and Karnataka (2 crore).
The category with the highest collected database was that of domain whois, accounting for 3.47 crore databases. It was followed by 3 crore mobile number databases, 2 crore students' database, 98 lakh credit card holders' database, 40 lakh job seekers' database, 35 lakh D-MAT account holders' database and 18 lakh frequent flyers' database.
Decode reached out to the companies whose user's data were compromised. While Vedantu, Byju's, UpStox, Big Basket, Zomato and Paytm did not respond on the matter, Netflix said that they "will not be commenting on the issue".
Speaking to Decode PhonePe's spokesperson said, "The current media refers to data leaks which have been farmed via third party data sources and does not pertain to PhonePe. The PhonePe app is totally safe and secure and we have seen no data breach on our platform."
What are the police doing now?
Given the scale of the theft, the police will now be approaching the case from different angles. Involvement of a bigger network behind the main accused Vinay Bharadwaj is being suspected as it is not possible for him to steal such voluminous data alone, by hacking into the websites of various organisations.
According to ACP Babu, so far, police has issued notices to 11 organisations, which became the victim of the data theft in the case and asked them to send their replies in a week’s time. Apart from this, the Cyberabad police has been trying to gather details from these organisations regarding their failure to protect the data from any kind of heist and the involvement of the employees from the organisations.
Meanwhile, the cops are thoroughly observing the 'InspireWebz’ website used by the accused to sell the stolen data. Apparently, it resembled the websites of major e-commerce companies of the country.
Talking about the present update in the case, ACP also added, "The Cyberabad police have formed special teams to nab the other accused in the case Aamir Sohail and Madan Gopal. A nationwide hunt is on to nab the two accused now."