Updated: How I found the man suspected for #JioLeak before police did
A story titled, “Police detain a suspect in India’s Jio data leak probe” by Reuters, cites unnamed police officer confirming my suspicion. An excerpt from Reuters story:
The local police official, who asked not to be named, said a man named Imran Chhimpa had been detained early Tuesday evening in connection with the investigation and a team of investigators from Mumbai was expected to arrive shortly. (source)
What was the data that was exposed?
It seems like the name, mobile number, email address, circle and activate date & time of early Jio customers was leaked. There are claims that even Aadhaar numbers were leaked but I could not independently verify this.
How did this story come to the forefront?
Again, I could not independently verify this because AlphaBay itself is down. But, let me put that into context, basically, details 2 crore (20 million) Indians are available for measly sum of Rs. 29,05,915 ($45025).
At what price is per user data available for a spammer or scammer from Jio database?
Do the math yourself with the stats given above. I know this number is going to be debated a lot. Have more to add, I will be happy to join you for a discussion in the comments.
I wonder, are early adopters paying the price for ‘free data packets.’
How the story unfolded
Varun Krishnan, founder-editor, FoneArena, published the #JioLeak story on Sunday evening. The same night, I started receiving calls enquiring if I knew anything or had read it. I was unaware. But, I knew there were a few things that you can do as a Public Relations Officer (PRO) in a crisis situation like this:
- Acknowledge the hack or leak and be transparent like Zomato
- Deny the leak entirely like *coughs, coughs* these gentlemen
- Fess up that you don’t know what’s happening (never recommended)
This is in addition to coordinating with different stakeholders like the leadership & security team, journalists & police. This is the traditional way of containing the situation.
However, in today’s age of anxiety, you also can unleash the trolls for maximum deniability & to suppress the story before it gains momentum.
Reliance made the mistake of over-exposing themselves
Gaurav Baghel, is the cofounder of Verloop, a known techie with a interest in security. Post #JioLeaks, he put out the following tweet:
The denials were swift but the profiles from where they came from were suspicious. There was a pattern of denial. Here’s a snapshot.
A clarification from my end would be great at this point. Not all Jio data was exposed but a part of it. So, a false positive was possible. Complete deniability that Reliance is claiming however is again suspect. Various sources confirmed the leak.
If you further investigate the user profiles, you will realise that they regularly are part of hashtag trending activities. If you are unaware of how that works. I recommend this eye-opening story by Ashish Mishra.
The Smoking Gun
The man arrested under suspicion — Imran Chimmpa was the one who started the posted the website with leaked data on Frendz4m. Sadly, I did not happen to take screenshots. However, there is other thread where an user is asking for ‘call details of jio numbers.’ Here the name of Imran pops up again as the go-to man for everything Jio.
As the story started to explode, Imran panicked and requested to moderators to taken down the thread.
Again, like an idiot, I forgot to screenshot and the URL is now inaccessible.
Does this mean that Imran is guilty, no. More investigation is needed. Sadly, one cannot any of that will be transparent because why do it? It is not mandated as per Indian law.
Why it should worry us?
In Narendra Modi led digital India, internet security seems to have taken a backseat. Data leaks have been regular. If you were caught unaware by the number of instances, don’t worry, it is not your fault. Currently, as per Indian law, companies and Government entities are not liable to acknowledge hacks or leaks. .
As this story of IRS scam from Ahemdabad makes it clear, Indian scammers are amazing at social engineering. With such regular leaks and lack of security guidelines, expect this crisis to grow in the years to come.
This story goes deeper. I hope there will be follow-ups on it.
I have previously written about security and phishing issues. Here are a few of them:
NaMo App: BJP’s ‘surgical strike’ for user data
Narendra Modi, Prime Minister of India, yesterday reached out to the citizens of India for feedback on demonetisation…
Be careful of this Whatsapp phishing scam
When people think of hacking, they think of keyboards, geeks, networks and code wars aka brute force attacks. Truth be…
Hit wicket: Sachin Tendulkar just set off a privacy disaster on Twitter | FactorDaily
Update: After the publication of this article and backlash on social media, Sachin Tendulkar has deleted the Tweet. As…
P.S. I am bad at proof reading. If you find errors, ping me on Twitter — A_itya is my handle.