wordpress blog stats
Connect with us

Hi, what are you looking for?

Jio users’ names, email addresses & more leaked online, but it is in denial

(with inputs from Aroon Deep)

Last night, a website called Magicapk.com went online, allowing anyone to search for user identification data (Know Your Customer; KYC) of Reliance Jio customers. It had the following kyc information: Name, Mobile Number, Email address, Date of activation, Circle and Aadhaar number, but thankfully, the Aadhaar information was redacted.

MediaNama independently verified this data for multiple Jio numbers, and the data was accurate for these numbers. Numbers for other telecom operators did not work. Several users have also uploaded screenshots of actual data online, which we won’t be linking to.

Jio is in denial

Reliance Jio, however, has sent us a statement, saying that these are “unverified and unsubstantiated claims”, and “the data appears to be unauthentic”.

Frankly, given that we verified the data for multiple users, as have others, this claim is simply not true. Some users are reporting that data for newer numbers is not available. Update: Do check Troy Hunt’s “The 5 stages of Data Breach Grief“.

Advertisement. Scroll to continue reading.

The website was taken down by its hosting provider yesterday shortly after 11pm.

 

However, that doesn’t mean that the data has not been leaked, nor does it mean that the data can still be made available online. Whoever has this data can easily create another random website, and put the same site up. The breach appears to be real.

Jio is yet to respond to the following questions

1. How is the user data stored by Jio
2. Whether the data is encrypted when stored and if yes, what kind of encryption.
3. Whether data is encrypted when being transmitted from retailers to jio.
4. Do you store Aadhaar numbers or merely use authentication to validate credentials.
5. How could this data have leaked, in your opinion.
6. What steps is Jio planning to take to address this issue
7. Whether you have alerted CERT-IN about this data leak
8. How many people have access to the unencrypted customer database.

Jio used the Aadhaar KYC process for authenticating users, and this is something which all telecom operators are going to do, following a DoT directive based on a flawed reading of a Supreme Court of India ruling. Hence the question about the encryption of the data in transit: what happens to Aadhaar data once it leaves the UIDAI, and into private hands?

We’ve written to Jio again requesting a response to these specific questions, instead of a boilerplate denial sent to everyone.

User Rights

Note that even if Aadhaar numbers have been leaked, users will have no right to take Jio or the person who took the data, to court. Under the Aadhaar Act, you have no rights over your personal data, and only the UIDAI does.

Advertisement. Scroll to continue reading.

India doesn’t have a privacy law, but a data protection law is believed to be in the works. Meanwhile, the Indian government has argued in the Supreme Court that privacy isn’t a fundamental right.

Magicapk.com

The website was registered two months ago, and the individual who registered the domain has apparently chosen not to make their identity public. A previous version of the website cached last month by Google shows a simple message: “coe back soon [sic]”.

Jio’s full statement

We have come across the unverified and unsubstantiated claims of the website and are investigating it. Prima facie, the data appears to be unauthentic. We want to assure our subscribers that their data is safe and maintained with highest security. Data is only shared with authorities as per their requirement. We have informed law enforcement agencies about the claims of the website and will follow through to ensure strict action is taken.

(Updates: Added a question, based on a recommendation via twitter from @ahalam).

Written By

Founder @ MediaNama. TED Fellow. Asia21 Fellow @ Asia Society. Co-founder SaveTheInternet.in and Internet Freedom Foundation. Advisory board @ CyberBRICS

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.

Views

News

The DSCI's guidelines are patient-centric and act as a data privacy roadmap for healthcare service providers.

News

In this excerpt from the book, the authors focus on personal data and autocracies. One in particular – Russia.  Autocracies always prioritize information control...

News

By Jai Vipra, Senior Resident Fellow at Vidhi Centre for Legal Policy The use of new technology, including facial recognition technology (FRT) by police...

News

By Stella Joseph, Prakhil Mishra, and Yash Desai The Government of India circulated proposed amendments to the Consumer Protection (E-Commerce) Rules, 2020 (“E-Commerce Rules”) which...

News

By Rahul Rai and Shruti Aji Murali A little less than a year since their release, the Consumer Protection (E-commerce) Rules, 2020 is being amended....

You May Also Like

News

Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

News

By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

Advert

135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...

News

Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Name:*
Your email address:*
*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ