Cyberabad police bust India's biggest data theft gang selling personal data of 16.80 cr people
Commissioner of Cyberabad Police Stephen Raveendra has given a detailed account of the case at a press conference here on Thursday
HYDERABAD: The Cyberabad Police have arrested a gang of six persons involved in committing theft, procuring and selling of sensitive and confidential data of government and important organisations and also personal and confidential data of 16.8 crore citizens. This is said to be one of India's largest data theft cases.
Commissioner of Cyberabad Police Stephen Raveendra has given a detailed account of the case at a press conference here on Thursday.
The accused persons have been found selling of information pertaining to more than 140 categories including sensitive details of defence personnel, mobile numbers of citizens, NEET students, Energy & Power sector, PAN card data, Government employees, Gas & Petroleum, high-networth individuals (HNIs), D-MAT accounts, students database, woman database, Bangalore woman consumer data, data of people who have applied for loans, insurance, credit card and debit card holders (of AXIS, HSBC and other banks), WhatsApp users, Facebook users, IT organisation employees, frequent flyers etc.
The accused are selling the data through JUSTDIAL and similar platforms.
When any individual calls the toll-free numbers of JustDial and ask for any sector or category related confidential data of individuals, their query is listed and sent to that category of service provider. Then these fraudsters call those clients/ fraudsters and send them samples. If the client agrees to purchase, they make payment and are provided the data. This data is further used for committing crime.
In this case, the accused gang operated through three registered and unregistered companies, Data Mart Infotech, Global Data Arts and MS Digital Grow.
Sensitive data of defence personnel containing their ranks, email ids, place of posting, etc was found available with these accused. Data of NEET students with their names, father name, mobile number and their residence is also found with these accused. PAN Card database containing sensitive information on income, email ids, phone numbers, address etc was also found. Data of Government employees containing information on their name, mobile number, category, date of birth etc was also found. Gas and Petroleum companies database with the names, mobile number, email ids, address etc of franchisees was found.
Further mobile number database of three crore individuals probably leaked from Telecom Service Providers with order number, service start date, segment details, billing details account number, sim number etc was also found which can be used for committing various crimes.
Data of customers from reputed financial institutions like Axis, HSBC, etc of credit card and debit cards containing information on account details like name, account number, income, transaction details, mobile number, address, etc was found. Data of WhatsApp user of 1.2 crore individuals with their state details were found. Data of Facebook users of 17 lakh individuals with information on login id, IP city, age, email id, phone number etc was also found.
The sensitive data can be used for unauthorised access to important organisations and institutions. The data of defence and government employees can be used for espionage, impersonate and commit serious offences which may jeopardise the national security. The data related to pan card can be used to commit serious offences. The data is being used to commit large number of cybercrimes by gaining confidence with victim by disclosing the above information.
ACCUSED DETAILS WITH ROLES REVEALED IN THIS CASE:
A1: Kumar Nitish Bhushan: Established a call centre in Noida, Uttar Pradesh and collected credit card databases from A5 Muskan. He used Justdial and other social media platforms to resell the data to fraudsters for profits.
A2: Kumari Pooja Pal: Worked as a tele-caller at A1's call centre.
A3: Susheel Thomar: Worked as a data entry operator at A1's call centre.
A4: Atul Pratap Singh: Collected data of credit card holders and sold it on a profit basis through his company "Inspiree Digital".
A5: Muskan Hassan: Previously worked as a tele-caller at A4's office. Now, by stablishing the company "MS Digital Grow", she sells data as a mediator. In this case, A1 procured data of card holders from A5, whereas A5 arranged that data from A4.
A6: Sandeep Pal: Established Global Data Arts and used Justdial services and social media platforms to sell customers' confidential data to fraudsters who are indulged in cyber offences.
SEIZURE:
⮚ Mobile phones – 12
⮚ Laptops – 03
⮚ CPUs – 02
⮚ Mails and Tax invoices of Justdial
⮚ Data of 138 categories containing sensitive information of government, private organisation and individuals.
FINDINGS
1. Private Organisations are collecting data both with consent and without the knowledge of the individuals. There is no data privacy or protection policy by most of these private organisations who possess and process the data of individuals.
2. The organisations providing digital services are also capturing a lot of information of individuals without their consent or without any means of information to the individuals informing of the type and amount of data being collected from their devices while providing services.
3. Private organisations like financial institutions, social media intermediaries, e-commerce platforms, search engine websites, contact details directory service providers like JustDial, etc collect various personal and confidential information of individuals while providing services and without consent of the individuals while their websites or applications are being used.
4. These private organisations do not have a proper legally sound data protection or privacy policy to collect, process and store the confidential, personal and sensitive data of individuals.
5. These private organisations do not have secure systems and networks to ensure protection of personal and confidential data they hold of individuals.
6. These private organisations do not have legally sound policy for sharing the personal, confidential and sensitive data of individuals to their third-party vendors for availing various services. It is noticed that most of the times there is data theft being committed at these vendor levels.
7. The private organisations sharing the personal data of individuals with their vendor organisations do not have a proper policy or process in place for verification of vendor antecedents and security of their systems holding the data.
8. Contact details directory service providing platforms like JustDial & others are –
i. not having a list of categories for which they would not provide services
ii. not doing any verification of agents who are listed as service providers on their platforms
iii. not doing any verification of the data being provided by these service providers is not being verified to check whether confidential data is being sold by them or not
9. Since such data is available in the open market through organisations like JustDial & others, a high number of fraudsters are abusing it to commit numerous cases of cybercrime. Possession of this data helps them build trust and confidence with the victims with which they convince them to part with their money.