More than 100m records potentially lost in huge telecoms breach

India’s newest telecoms provider is investigating what could be the country’s biggest data breach, according to local reports, with the records of potentially more than 100m subscribers having been exposed online.

The data apparently belonging to Jio Reliance subscribers was posted on a website called magicapk, which has since gone offline, and included:

  • First, middle, and last names
  • Mobile numbers
  • Email addresses
  • Aadhaar numbers
  • Dates and times of SIM card activations

Jio is the newest player in India’s wireless telecommunications sector. A subsidiary of Reliance Industries, it launched its  4G cellular network and services in September 2016, and at the end of the first quarter of 2017, had just over 108m subscribers out of India’s total population of some 1.3bn.

The inclusion of Aadhaar numbers adds to the concern, as the scheme, set up by the Indian government in 2009 to register every citizen with a 12-digit number and their biometrics, has faced sharp criticism over its scope and reach, with critics calling it “Orwellian”. The scheme now covers pretty much the entire population, having registered 1.15bn people.

Critics have included the National Advisory Council, Citizens Forum for Civil Liberties, and the Indian Social Action Forum. Now that these details seem to have been part of the data leaked from Jio, those concerns are starting to look prophetic.

Jio moved to reassure subscribers, insisting that the data that had been exposed was “unauthentic”, adding:

Prima facie, the data appears to be unauthentic. We want to assure our subscribers that their data is safe and maintained with highest security. We want to assure our subscribers that their data is safe and maintained with highest security. Data is only shared with authorities as per their requirement.

However, many Indians on the /r/India forum on Reddit claimed that at least some of the details exposed were genuine, with one saying:

I used an unique email (address) which I have not used anywhere else and can confirm leaked data is from Jio’s database.

Another added:

I got my number activated yesterday only, and it’s in the leaked database which shows an email id which I haven’t given to anybody else. So no, it’s not three months old.

Another Reddit user shared a screenshot of a post on a forum hosted in the Onion network claiming to have the data for sale.

If the data has indeed come from Jio, it’s a big setback for the company, which has grand plans to conquer India’s mobile market.