India’s Reliance Jio Infocomm Ltd, which is looking into reports of a major leak of user data, has filed a police complaint alleging “unlawful access to its systems,” a police officer involved in the investigation said on Wednesday. The complaint is the telecom company’s first official acknowledgement of a systems breach. Jio has so far denied media reports and user accounts of a leak.
The officer involved in the investigation said Jio filed the complaint on Monday in Navi Mumbai, where it is headquartered. Jio, part of conglomerate Reliance Industries Ltd, did not respond to a Reuters request for comment on Wednesday.
Several local news sites reported late on Sunday that names, telephone numbers and email addresses of Jio users were visible on a site called ‘Magicapk,’ which was subsequently taken down. Jio, headed by India’s richest man Mukesh Ambani, rubbished the website’s claims and said its subscriber data was safe and maintained with the highest security. It said that data on the ‘Magicapk’ website appeared to be “unauthentic.”
Many local news outlets such as Indian Express and MediaNama however, contradicted these claims. They reported being able to cross reference and confirm the veracity of the data on numerous Jio customers known to them.
Experts say India has inadequate data protection laws that do not mandate companies or agencies to notify clients if their personal data has been breached. Advocates for stronger data protection laws say this results in data leaks often going unreported.
“There is a clear stigma attached to being hacked, or data being stolen,” said Akash Mahajan, a web security consultant in Bengaluru, adding this is why companies in India often do not admit to data breaches.
AADHAAR APPEARS SAFE
On Tuesday, Reuters reported that police in the western state of Rajasthan detained a man on suspicion of involvement in the breach, which cyber security analysts say could be the first large-scale leak from an Indian telecoms firm.
The officer involved in the matter declined to give further detail on the investigation, but said preliminary evidence indicated the widely-used “Aadhaar” numbers of Jio customers were not compromised in the leak.
Jio, which launched last September, already boasts over 100 million subscribers after drawing in users with months of free service and now cut-price deals. It is not clear whether data on all 100 million plus customers was compromised. Many users registered for Jio using their 12-digit Unique Identification Authority of India (UIDAI) number, commonly known as the Aadhaar number.
The government is pushing for Aadhaar numbers to be used in everything from opening a bank account to filing tax returns. The number, which works in a similar way to US Social Security numbers, is unique to each Indian citizen and stores users’ biometric data in a centralised database.
The case was registered under Section 66 of the Information Technology Act, which deals with any unauthorized access to a computer network, and Section 379 of the Indian Penal Code, which deals with theft.