By Rahul Bhatia
MUMBAI (Reuters) – Police in the western Indian state of Rajasthan on Tuesday detained a man suspected of involvement in what may be a major leak of user data from India’s newest telecoms company Jio, a police official said.
Jio, run by India’s richest man Mukesh Ambani and his conglomerate Reliance Industries Ltd <RELI.NS>, said on Monday it was investigating whether personal data of more than 100 million of its customers had been leaked to a website named “Magicapk.com”.
The company said it was working with law enforcement agencies to investigate the alleged leak, which cyber security analysts say could be the first large-scale data leak from an Indian telecoms firm.
The local police official, who asked not to be named, said Imran Chhimpa was detained on Tuesday in connection with the investigation. He said investigators from Mumbai were due to arrive in the area shortly.
The proprietor of a local internet service provider in Sujangarh, where Chhimpa was a customer, confirmed Chhimpa had been detained, adding he had received a query from the police about Chhimpa earlier on Tuesday.
In a July 5 post on Frendz4m, an online message board, a person with Chhimpa’s Internet Protocol (IP) address and using the handle “imranchhimpa”, posted a link to “magicapk.com” saying the site could provide personal user details of anyone with a Jio connection. The post said the data was obtained from original documents.
The proprietor of the local internet service provider told Reuters that police asked him for the installation address of that particular IP address, and made him accompany them to Chhimpa’s home, where he was later detained.
Chhimpa was not immediately reachable for comment, and his phone was switched off. Police declined to comment on whether there were any other suspects in the case at this time.
A spokesman for Jio said there was no immediate comment on the company’s own investigation into the alleged leak.
On Monday, Jio said the data leak appeared to be “unauthentic”, and the company’s subscriber data was safe and maintained with the highest security.
Some Jio users, though, took to Twitter to say they were concerned that personal information on Magicapk.com could be accurate. Some Indian media said their own checks suggested some leaked data were authentic. The Indian Express newspaper said it was able to cross-verify details on a number of Jio customers it knows.
The Magicapk.com website showed as “suspended” since late Sunday.
Jio launched last September and already boasts over 100 million subscribers after drawing in users with months of free service and now cut-price deals.
Analysts said that if the names, contact numbers, email addresses and Aadhaar numbers of all Jio customers were compromised, it would be a major setback for the telecoms industry’s new entrant.
Many users registered for Jio using a 12-digit Unique Identification Authority of India (UIDAI) number, commonly known as the Aadhaar number.
The government is pushing for Aadhaar numbers to be used in everything from opening a bank account to filing tax returns. The number, which works in a similar way to U.S. Social Security numbers, is unique to each Indian citizen and stores users’ biometric data in a centralized database.
(Reporting by Rahul Bhatia, with additional reporting by Sankalp Phartiyal; Writing by Euan Rocha; Editing by David Evans and Ian Geoghegan)