The data of 3.1 crore people on the Tamil Nadu Civil Supplies and Consumer Protection Department, which is the public distribution system data, has been breached and is on sale on a hacker forum, according to cybersecurity startup Technisanct. Earlier this week, on June 26, the website showed it had been “hacked by 1945VN”, and subsequently showed that it was under maintenance. Technisanct said the data includes information such as Aadhaar cards, Makkal number, full name, father’s name, contact information, family details and more. However, the agency which maintains the site, Oasys Cybernetics, has denied a breach.
According to the TN PDS website, there are 6.8 crore registered beneficiaries, with 2.1, 3 crore registered mobile numbers and 6.76 crore Aadhaar cards. Technisanct said after it discovered the breach, it reached out to the Tamil Nadu government, the Union government and CERT-IN, India’s nodal cybersecurity agency. Founder of Technisanct Nandakishore Harikumar said that they were informed that Tamil Nadu government forwarded the report for further investigation.
Technisanct identified the threat on June 28, when the data of 52 lakh people was uploaded to the forum. Soon after it was put up, it was taken down. Nandakishore said that they were assuming that more data would be leaked, and it was likely the hacker was expecting to get a better price. The hacker followed up allegedly with the data of 2.6 crore people, leading to the data of over 3.1 crore people being exposed.
Speaking to TNM, Nandakishore said they had assessed the data of the initial dump which contained information of roughly 50 lakh people, and are assessing the second.
“Because it’s such a huge amount of data, we have to see how many Aadhaar cards are there, how much other individual information is there. Also, the hacker is claiming that he has access to the entire dump — that is 1.9 TB of data. The PDS website itself says that there is data belonging to 6.8 crore Tamil Nadu citizens,” he said.
Nandakishore says that in the data uploaded of 3.1 crore people, they found 1.94 crore Aadhaar card data.
“He may leak the full 6.8 crore data in the near future. We also assume that he has access to the servers till now,” he added.
Nandakishore adds that when they initially assessed the first 52 lakh, they found three lakh plus phone numbers. This disconnect, Nandakishore believes, is likely because most beneficiaries could potentially be from rural areas and entering details at the ration shop.
Food and Consumer Affairs Department officials told The Hindu that the company which manages the same had denied the hacking.
In its letter to the Commissioner of the Civil Supplies and Consumer Protection Department, Oasys said the data shown was not the data available in the TN PDS database, is of a different data structure, that only the homepage had been defaced and that there had not been a breach. "...we confirm that there was no data breach in any base is safe and secure," Oasys said in its letter.
The Hindu report further added that officials said that an audit would be carried out. News18 reported that the matter would be taken up by Md Nasimuddin IAS, additional chief secretary to the cooperation, food and consumer protection department.
Nandakishore questions why an audit would be carried out if there was no breach.
Further, over questions whether it was in fact data of the TN PDS, he said that they had accessed the schema, and there was no question that it was not TN PDS. A schema is a description of the database’s structure, which is how it is constructed, the data type, and more.
Srikanth L of Cashless Consumer, a consumer awareness collective, concurs. "Putting it [the data that was uploaded] in context of the entire database and the fact that the site was indeed defaced, it is quite possible that we probably don’t have an option to trust the denial. It falls flat. He [the hacker] did show some data,” he said.
Nandakumar says that if the data of all citizens on the portal is breached, it is a huge digital footprint of an individual, and can be used for phishing.
“If I get a call from the government and the person says this is your Aadhaar number, Makkal number and this is all your data and you just need to go click on a link, there is a chance that people could be a victim of phishing because all the data you need to show yourself as a government officer is there,” he says.
Srikanth says that there were comments regarding how much of the data is already public information, such as being disclosed on voter lists.
"While one could argue name, address, age is part of publicly available voter lists and hence might not be sensitive information, this PDS database contained mobile number, Aadhaar, date of birth, family relationships - all of which are sensitive information and could be used in variety of ways to profile individuals, families and communities," he says.
“This could be used for voter profiling, or building credit profiles of the entire demography of the state. Even if it’s 20 million, it’s a good chunk of the state’s population,” he adds.
This comes as the state government attempts to create a State Family Database for e-governance, and has sought for it to be the “single source of truth on all details with respect to the state’s residents”, and is looking at the data that is comprehensive and can be used by all departments. This requires having a database that cuts across departments, and can only make the ramifications of such a leak much worse.
Nandakishore says that all governments will have other data as well, and they must ensure that critical infrastructure is properly monitored and audited.
It is important to note that India does not as yet have a personal data protection law, and there are no mechanisms in place about what governments or companies must do when there is a breach.