DoT orders security audit of telecom operators after 750 million Indian mobile users data leak claim

data leak

New Delhi: The Department of Telecommunications (DoT) has directed all telecom service providers to conduct a security audit of their systems, following a claim by a cybersecurity firm that the personal data of 750 million Indian mobile users has been leaked and put up for sale on the dark web. A government official confirmed that the DoT has issued the order after receiving a report from CloudSec, a cyber intelligence company that works with the Indian Computer Emergency Response Team (CERT-In).

According to CloudSec, its researchers discovered that a hacker group called CyboCrew, comprising CyboDIVIL and Unit8200, had advertised a massive ‘Indian Mobile Network Subscriber Database’ for sale on an underground platform on January 23. The database, which is said to be 1.8 terabytes in size, contains sensitive information such as names, mobile numbers, addresses, and UID details of around 85% of the Indian population. The threat actors have demanded $3,000 for the entire dataset.

CloudSec said that the hacker group has denied any involvement in a breach and claimed to have obtained the data legally through an undisclosed source within law enforcement channels. However, CloudSec has warned that the data leak poses a significant risk to both individuals and organizations, as it can be used for identity theft, fraud, phishing, and other cyberattacks. CloudSec has also notified the relevant authorities and organizations that may have been affected by the breach, as part of its responsible disclosure practices.

Data consumption

The government official, however, said that telecom operators have informally told the DoT that the leaked information appears to be a compilation of old data sets of telecom customers and not due to any vulnerability in their system. The official said that the DoT has nonetheless asked the telecom operators to get a security audit of their systems as a precautionary measure and submit a report within 15 days. The official also said that the DoT will verify the authenticity of the data leak claim and take appropriate action if required.