Reliance Jio's massive data leak has shaken many as it is being touted as India's biggest data breach till date. It was reported that 120 million users were affected as part of the hack, and the information was publicly disclosed on a now-defunct website called Magicapk.com.
Reliance Jio has denied that the breach took place, but several users and security experts independently confirmed that the hack indeed took place. Since Jio connections were activated using Aadhaar cards, major concerns were raised regarding the security of millions of users.
With the help of one of the security experts – Alex Heid, a white hat hacker and Chief Research Officer at cyber security rating and monitoring platform SecurityScorecard, International Business Times, India, assessed the nature of the hack, the threat to users and concerns surrounding the attack.
Below are the edited excerpts of our interview with Heid:
IBTimes, India: As citizens of India, how do we protect our information such as Aadhaar in an event of a cyber-attack?
Alex Heid: Unfortunately, with things such as Aadhaar in India and Social Security Numbers (SSN) within the USA, once the number has been obtained by an unauthorised individual, there is not much that can be done because the information has been exposed. Attackers often times use these numbers as authentication credentials to gain access to other services (such as via password reset), or they may use them for the purpose of identity theft. The best thing that can be done is to maintain diligence in monitoring credit reports and account activity.
IBT: What do we learn from Reliance Jio's hack?
Heid: Reliance Jio vehemently denies that a breach took place, as discussed in a recent Huff Post article. However, it appears a person has been arrested in India with connections to this case, and that person was in possession of 50 Jio SIM cards.
The individual also ran a website called 'magicapk.com,' which is now suspended. When the archive.org "Wayback Machine" is checked, a cached copy of the site shows that there was apparently an underground service available whereby users could query the phone number of a Jio user and then return the subscriber data.
It may be accurate that Jio was not 'breached' in a traditional sense (such as malware infection or account compromise), this script may have been leveraging some form of web application vulnerability that scraped the information from the Jio website once a phone number is entered.
This would be more of an exploitation of a leak, as opposed to a complete breach.
It is unknown what information was returned when a phone number is queried, as the site is offline at this time.
On the surface, it appears that a similar example to this type of leak would be the AT&T 'hack' that took place in 2010, when a hacker disclosed a vulnerability in the AT&T website that returned subscriber data when an iPad ICC-ID number was queried.
However, it remains unknown what the motives of the Reliance Jio hacker are, and it is unknown what the method of exploitation or pathway was used to gain access to this information. It can only be confirmed that the company is refuting claims of a traditional 'breach,' and there was indeed an arrest that took place after the discovery of an underground service relating to Reliance Jio.
IBT: What is the extent of damage Reliance Jio users faced due to the hack?
Heid: It is unknown what information was returned when a phone number is queried, as the site is offline at this time. It may have been contact information such as name and address, or perhaps more detailed information used for billing such as bank information and/or Aadhaar numbers. Without an example of what the output of the service looks like, it is unknown to what extent of the risk was to subscribers outside of the possible exposure of basic contact information.
IBT: How should big brands deal with customer information or should they simply refrain from collecting it?
Heid: While companies should not collect sensitive information that is not needed to provide a service, often times it is not realistic to assume companies will not collect private data. Furthermore, when an attacker has bits of seemingly public data from multiple sources, then conclusions can be drawn about the details of private data.
Many times data leak incidents like this one are the results of misconfigurations within the network topology (such as an exposed database with no password), or preventable web application vulnerability (such as a forceful browsing issue that bypasses authentication, or an SQL injection vector). Ensuring best practices when deploying network infrastructure will go a long way in preventing basic attacks (such as changing default credentials, and implementing firewall rules). For web application development, following the best practices of the Open Web Application Security Project (OWASP) will also go a long way to remove potential vectors of exploitation and data exfiltration.
IBT: Is government's vision for Aadhaar centralisation ideology flawed?
Heid: I am unable to speak to the specific of the India government regarding the implementation of Aadhaar, as I am not familiar with the details. However, it is generally a bad idea to leverage unique numerical identifiers as a mode of authentication. The biggest risk would not necessarily be from government centralization, it would come from how the private sector and public sector use, store, and share the private information. Without detail on how those three aspects are done, coming to a conclusion about the specifics of India's policy would not be possible.
