Earlier this week, an unknown entity published personal details of subscribers to Reliance Jio, a mobile carrier based in India. The data was available through a search engine and included people’s names, phone numbers, and email addresses. And while tech news outlet Medianama confirms that some of the information was legitimate, Jio said in a statement that it believes the leaked material is ‘unauthentic.’
It’s worth noting that the information included a field for users’ Aadhaar numbers, the unique identification number issued by the government to more than 80 percent of Indian citizens so they can do things like apply for subsidized rations, renew their passports and subscribe to Jio’s service. These numbers were redacted on the site, but it’s possible that the hackers may have them.
Jio user Data leakedhttps://t.co/fjBRRmTWNm
— ✨Amit Meena ? (@amit_meena) July 9, 2017
Twitter user Amit Meena is likely to have been the first to spot the site, magicapk.com. It’s unclear as to how many users’ details were leaked; FoneArena claimed that the database spanned 120 million users, but Deccan Chronicle noted last month that the carrier only had about 112 million subscribers.
The identity of the publisher of this database, as well as the owner of the domain and their intentions with this leak, remain unknown. All we do know is that there’s a weak spot in Jio’s data management process, and that there’s precious little customers can do to protect themselves.
That’s because India doesn’t have strong privacy laws in place to hold companies accountable for leaked or stolen data, and to require them to use powerful encryption for sensitive information like customers’ details. People can’t even take Jio to court over the leaked data which was acquired by the carrier through the Aadhaar-based KYC system, as it’s the Unique Identification Authority of India (UIDAI) that holds the right to their personal information in that database. And right now, the UIDAI believes there’s no reason to be alarmed.
As The Hindustan Times pointed out in January, the few existing legislations that pertain to privacy in India are piecemeal at best, and don’t serve to protect citizens adequately in case of a leak like this one, or like several others that previously affected major companies like Zomato, Ola and McDonald’s India.
Magicapk.com has already gone down in a matter of days, but it’s possible that the entity behind the leak might sell the data on the Dark Web, and that others may have scraped information from the site with malicious intentions. Meanwhile, many Jio users remain at risk of identity theft, and the carrier remains dismissive of the the threat:
We have come across the unverified and unsubstantiated claims of the website and are investigating it. Prima facie, the data appears to be unauthentic. We want to assure our subscribers that their data is safe and maintained with highest security. Data is only shared with authorities as per their requirement. We have informed law enforcement agencies about the claims of the website and will follow through to ensure strict action is taken.
So when will India get a privacy law? In May 2016, the minister for communications and information technology, Ravi Shankar Prasad, said that legislation was in the works, but didn’t provide a timeline. It’s been a year, and we haven’t seen anything concrete yet. With a fast-growing internet and mobile user base, and with global cyber crime on the rise, India would do well to prepare itself to deal with untoward incidents that could affect its massive population.