Hyderabad: The Cyberabad Police Friday arrested a 24-year-old man for allegedly procuring and selling confidential data of 66.9 crore people, including students, defence personnel, government employees and customers of e-commerce companies, spanning 24 states and eight cities.
The data was spread over 104 different categories such as debit and credit card-holders, frequent flyers, demat account holders, designers, chemists, business analysts, senior citizens, PAN card-holders, National Eligibility-cum-Entrance Test students, high net-worth individuals, electricity consumers, according to the police.
The accused, Vinay Bharadwaj, was operating a website called ‘InspireWebz’ and an office in Faridabad, Haryana, and collected databases from two other individuals named Amer Sohail and Madan Gopal, who are yet to be arrested, said the Cyberabad Police, which are a wing of the Telangana Police.
“Bharadwaj’s other two associates also ran websites, and we’re yet to trace them and understand how exactly they got access to so much data. Some of the data was sold for as low as Rs 2,000,” Cyberabad Deputy Commissioner of Police Kalmeshwar Shingenavar told ThePrint.
He added that “the accused knew he was selling data illegally but was not aware of the magnitude of his crime. He sold information to about 50 clients and they were marketing and advertising companies. Some were cybercriminals”.
The police are also exploring the angle of data access through the dark web. “In cases related to bank data theft, data is often leaked through third-party companies which banks hire to verify their customers’ data,” the DCP explained.
A source part of the investigation told ThePrint that the “data was stored and sold over Google Drive, and about 72 drive links were found”.
The leaked data included names and mobile numbers, addresses, and types of jobs held. When it came to bank data, the accused even had information about the first swipe of a particular credit card-holder, his/her income and type of account held, said the police.
The data on sale included details of customers of Amazon, Netflix, YouTube, Paytm, PhonePe, Big Basket, BookMyShow, Instagram, Zomato, Policybazaar, etc., among others. The accused also had data of online learning platforms such as Byju’s and Vedantu, as well as data of about 1.84 lakh cab users on what kind of cabs they used, their trip fare, etc., data of gym customers, human resources professionals and IT employees.
Also read: India is the sixth most data-breached country in world, says study by cybersecurity firm
UP has maximum individuals compromised
Uttar Pradesh had the highest number of individuals whose data was leaked — 21.39 crore, followed by Maharashtra with 4.50 crore individuals compromised. From Delhi, data of 2.7 crore people was leaked and Bengaluru and Hyderabad had 60 lakh and 56 lakh people, respectively, whose data was leaked, according to the police.
DCP Shingenavar said notices would be served to Amazon, Netflix, Zomato and other companies whose databases were compromised over alleged violation of the Information Technology Act. “We’re going to check if these companies followed the rules (of data protection and privacy) according to the Act,” he added.
The Act contains guidelines about what can be classified as sensitive information, such as biometrics, bank details of an individual, medical records, passwords, etc. It also has rules on how data should be shared and protected.
Last month, the Cyberabad Police had unearthed another massive data breach of 16.8 crore individuals and arrested a gang of seven allegedly involved in the theft and sale of sensitive data of government and important organisations, as well as details of defence personnel.
The seven accused, who operated call centers in Noida, were arrested in Delhi and sold the data to over 100 clients, the police had said.
As many as 1.2 crore WhatsApp users and 17 lakh Facebook users had also been targeted in the data theft, with information on login id, IP, city, age, email id, phone number etc. found in the possession of the accused, according to the police, who also pointed to the national security implications of the data theft.
(Edited by Nida Fatima Siddiqui)
Also read: Yet another spam call? Here’s how they probably got your number & why you should worry