Hyderabad: Gang that leaked confidential data of 16.8 crore citizens held

Hyderabad: The Cyberabad Police arrested a gang of seven members involved in the theft, procuring and selling of sensitive and confidential data of government and important organisations, and also the personal and confidential data of 16.8 crore citizens.

The accused have been found selling data in more than 140 categories that include important and sensitive details of defence personnel, mobile numbers of citizens, NEET students, energy and power sector employees and organisations, PAN card data, government employees, and bank details of the people. The accused are selling the data through JustDial and similar platforms.

Structure

The accused are identified as Kumar Nitish Bhushan, who established a call centre in Noida, Uttar Pradesh; Kumari Pooja Pal, who worked as a telecaller; Susheel Thomar, a data entry operator; Atul Pratap Singh, who collected data of credit card holders and sold it for profit through his company; Muskan Hassan, a telecaller, and Sandeep Pal.

Kumar Nitish Bhushan used to collect credit card databases from Muskan Hassan, who used JustDial and other social media to resell the data to fraudsters for profit. He was the mediator in his company, MS Digital Grow, and sold data through the firm.

Bhushan procured data of cardholders from Hassan, who got the data from Atul Pratap Singh. Sandeep Pal established Global Data Arts and used JustDial services and social media to sell customers’ confidential data to fraudsters, leading to cybercrimes.

Zia Ur Rehman, who used to provide bulk messaging services for promotions and also shared the Data base to Kumar Nitish Bhushan, and Atul Prata Singh.

Modus Operandi

According to Commissioner of Police, Stephen Raveendra, when an individual calls the toll-free numbers of JustDial for any sector or category-related confidential data of individuals, their query is listed and sent to that category of the service provider. Then these fraudsters call those clients/fraudsters and send them samples. If the client agrees to purchase, they make payment and are provided with the data. This data is further used for committing the crime.

In this case, the gang operated through registered and unregistered companies - Data Mart Infotech, Global Data Arts and MS Digital Grow.

Sensitive data of defence personnel containing their ranks, email ids, place of posting, etc was found with the accused. The data of NEET students with their names, father names, mobile numbers and home addresses were found with the accused. PAN card database containing sensitive information on income, email ids, phone numbers, addresses etc were also found. Data of government employees containing information on their names, mobile numbers, dates of birth etc was also found. Gas and petroleum companies database with the names, mobile numbers, email ids, addresses etc of franchisees were found.

Data of WhatsApp, Meta

Further mobile number database of 3 crore individuals was probably leaked from the Telecom Service Providers with order numbers, service start dates, segment details, billing details, account numbers, and sim numbers etc, was also found, which can be used for committing various crimes.

Further, data of customers from reputed financial institutions like Axis, HSBC, etc of credit and debit cards containing information on account details like names, account numbers, income, transaction details, mobile numbers, and addresses, was found. Data of WhatsApp users of 1.2 crore individuals with their state details were found. Data of Meta users of 17 lakh individuals with information on login ids, IP city, ages, email ids, and phone numbers was also found.

How can data be used to harm?

Sensitive data can be used for unauthorised access to important organisations and institutions. The data of defence and government employees can be used for espionage and impersonation and to commit serious offences which may jeopardise national security.

“The data relating to PAN can be sued to commit serious offences. Cybercrimes are caused by gaining confidence with the victim by disclosing the above information,” said the Commissioner.

The Cyberabad police during the investigation found that the private organisations are collecting data both with consent and without the knowledge of the individuals. There is no data privacy or protection policy by most of these private organisations that possess and process the data of individuals.

The police seized 12 mobile phones, 3 laptops, 2 CPUs, mails and tax invoices of JustDial, and data of 138 categories containing sensitive information of government, private organisations and individuals.

Advisory to Public

- Please approach the police or law enforcement agencies if you find that your private/confidential data has been misused by private companies.

- Do not share personal information, especially banking details with unknown individuals /websites.

- While using any services in person or on digital platforms, know from the service provider the information they are collecting and the purpose.

- Use privacy settings before using any mobile device, computers, applications, websites or search engines.

- Use privacy settings for privacy and information protection on social media.

- While downloading any application, understand the permissions sought by them to access information on your device.

- Use unique, complex passwords for each of your online accounts, and update them regularly to ensure they remain secure.

- Ensure your operating system, software and applications are updated regularly, as software updates often include security patches to protect against cyber threats.

- Install reputable antivirus and keep it updated to protect your devices from viruses, malware and other online threats.

- Do not download any remote service applications like AnyDesk, quick viewers, or team support on devices that have payment options enabled.

- Stay informed about the latest cyber security threats and best practices by reading news articles, blogs and other resources.