Updated: How I found the man suspected for #JioLeak before police did
Throughout 2017, we have had multiple reports leaks at Aadhaar, Zomato, McDonalds and Ola. The latest in the series of leaks is from Reliance Jio(aka #JioLeaks).
First spotted by Varun Krishnan from FoneArena. I happened to follow the events as they unfolded. This is the story how I found the suspect — Imran Chhimpa via Twitter.
A story titled, “Police detain a suspect in India’s Jio data leak probe” by Reuters, cites unnamed police officer confirming my suspicion. An excerpt from Reuters story:
The local police official, who asked not to be named, said a man named Imran Chhimpa had been detained early Tuesday evening in connection with the investigation and a team of investigators from Mumbai was expected to arrive shortly. (source)
What was the data that was exposed?
It seems like the name, mobile number, email address, circle and activate date & time of early Jio customers was leaked. There are claims that even Aadhaar numbers were leaked but I could not independently verify this.
How did this story come to the forefront?
It all started with this reddit thread. However and in what’s more worrisome is that this data has been on sale on Alphabay (Darkweb) for the last two months.
Again, I could not independently verify this because AlphaBay itself is down. But, let me put that into context, basically, details 2 crore (20 million) Indians are available for measly sum of Rs. 29,05,915 ($45025).
At what price is per user data available for a spammer or scammer from Jio database?
Do the math yourself with the stats given above. I know this number is going to be debated a lot. Have more to add, I will be happy to join you for a discussion in the comments.
I wonder, are early adopters paying the price for ‘free data packets.’
How the story unfolded
Varun Krishnan, founder-editor, FoneArena, published the #JioLeak story on Sunday evening. The same night, I started receiving calls enquiring if I knew anything or had read it. I was unaware. But, I knew there were a few things that you can do as a Public Relations Officer (PRO) in a crisis situation like this:
- Acknowledge the hack or leak and be transparent like Zomato
- Deny the leak entirely like *coughs, coughs* these gentlemen
- Fess up that you don’t know what’s happening (never recommended)
This is in addition to coordinating with different stakeholders like the leadership & security team, journalists & police. This is the traditional way of containing the situation.
However, in today’s age of anxiety, you also can unleash the trolls for maximum deniability & to suppress the story before it gains momentum.
Reliance made the mistake of over-exposing themselves
Gaurav Baghel, is the cofounder of Verloop, a known techie with a interest in security. Post #JioLeaks, he put out the following tweet:
The denials were swift but the profiles from where they came from were suspicious. There was a pattern of denial. Here’s a snapshot.
A clarification from my end would be great at this point. Not all Jio data was exposed but a part of it. So, a false positive was possible. Complete deniability that Reliance is claiming however is again suspect. Various sources confirmed the leak.
If you further investigate the user profiles, you will realise that they regularly are part of hashtag trending activities. If you are unaware of how that works. I recommend this eye-opening story by Ashish Mishra.
The Smoking Gun
The man arrested under suspicion — Imran Chimmpa was the one who started the posted the website with leaked data on Frendz4m. Sadly, I did not happen to take screenshots. However, there is other thread where an user is asking for ‘call details of jio numbers.’ Here the name of Imran pops up again as the go-to man for everything Jio.
As the story started to explode, Imran panicked and requested to moderators to taken down the thread.
Again, like an idiot, I forgot to screenshot and the URL is now inaccessible.
Does this mean that Imran is guilty, no. More investigation is needed. Sadly, one cannot any of that will be transparent because why do it? It is not mandated as per Indian law.
Why it should worry us?
In Narendra Modi led digital India, internet security seems to have taken a backseat. Data leaks have been regular. If you were caught unaware by the number of instances, don’t worry, it is not your fault. Currently, as per Indian law, companies and Government entities are not liable to acknowledge hacks or leaks. .
As this story of IRS scam from Ahemdabad makes it clear, Indian scammers are amazing at social engineering. With such regular leaks and lack of security guidelines, expect this crisis to grow in the years to come.
This story goes deeper. I hope there will be follow-ups on it.
-fin-
I have previously written about security and phishing issues. Here are a few of them:
P.S. I am bad at proof reading. If you find errors, ping me on Twitter — A_itya is my handle.
