By Rahul Bhatia and Promit Mukherjee
MUMBAI (Reuters) – India’s Reliance Jio is investigating whether personal data of over 100 million of its customers had leaked onto a website, in what analysts said could be the first ever large-scale breach at an Indian telecom operator.
Jio, India’s newest telecoms entrant, said that the data on the website, “Magicapk.com”, appeared to be “unauthentic” and that its subscriber data was safe and maintained with the highest security.
But people complained on Twitter about personal information of Jio users being publicly available on Magicapk.com, and some Indian media said that their checks had led them to believe the leak was real.
Jio declined to comment on the Indian media reports.
“We have informed law enforcement agencies about the claims of the website and will follow through to ensure strict action is taken,” a Jio spokeswoman said.
Newspaper Indian Express said it was able to cross-verify details on a number of Jio customers known to them.
“Indianexpress.com checked with some Jio numbers and found that details of numbers bought as late as last week are up on the site. However, it was not clear if all the numbers are available on the site, as a lot of queries were throwing a blank,” the newspaper reported.
Magicapk.com is showing as “suspended” since late on Sunday.
Rony Das, a security analyst with Defencely, an online security firm, described the likely data breach as “dangerous”.
AADHAAR AT RISK
Many users had been registered for Reliance Jio services by using a 12-digit Unique Identification Authority of India (UIDAI) provided number, commonly known as the ‘Aadhaar’ number. The Indian government has begun mandating the use of Aadhaar for everything from opening a bank account to filing tax returns.
The ‘Aadhaar’ number, which works on similar lines as U.S. Social Security numbers, is unique to every Indian citizen and it stores biometric data of users in a centralized database.
Local tech website MediaNama said that Aadhaar information on the website had been redacted. It also said it had independently verified data on the website for multiple Jio numbers, and that the data was accurate for those numbers.
Srinivas Kodali, an independent security researcher, said it was tough to assess the scale of the alleged breach until “Jio releases a statement saying what went wrong, and how they’re fixing it.”
He said that while the alleged breach was only reported by media late Sunday, data from the potential breach was shared on a messageboard forum in June and screenshots of it were also available on the “dark web”. Jio declined to comment.
Jio, run by Reliance Industries Ltd, launched last September and has already added over 100 million subscribers.
If the claims of the data breach are true, it would be a big setback for the Indian telecom entrant’s aggressive push led by Reliance Chairman Mukesh Ambani.
Ambani, India’s richest man, through months of free and cut-price deals has propelled Jio into the nation’s fastest growing wireless operator. It added 3.9 million subscribers to its network in April.
Shares in Reliance were up slightly in afternoon trading in India on Monday.
(Additional reporting by Sankalp Phartiyal and Euan Rocha in Mumbai and Sangameswaran S in Bengaluru; Editing by Chris Reese and Muralikumar Anantharaman)