A day after it arrested a computer science dropout in the Reliance Jio (RJio) data breach case, the police said it was a case of “unauthorised access” into the company’s database and “not a theft.” “It is not a theft, even though while filing the complaint they (RJio) had stated it as a theft. Now it is almost sure that he (the arrested person) was actually accessing the data in an unauthorised manner,” Navi Mumbai Deputy Commissioner of Police Tushar Doshi told PTI.
The Rabale (Navi Mumbai) MIDC Police had on Monday registered a case against unidentified persons. RJio is headquartered at the satellite city. Doshi explained as part of its regular operations, RJio — whose subscriber base had crossed 100 million within six months of the launch — makes certain data available to its retailers which was made available through the website and the arrested person gained unauthorised access to the company’s servers.
“He got hold of a user ID and password and he could manage to access this data,” Doshi, who is one of the investigating officers in the case, said referring to the accused Imran Chippa who was arrested from Rajasthan.
Asserting that this excludes sensitive details like Aadhar details or PAN numbers, Doshi said one was able to get a RJio subscriber’s name, email ID, SIM activation date, telecom circle and alternate number by putting the RJio number in the search command.
Reliance was one of the first operators to add customers solely on the basis of Aadhaar details as address and identity proof. Later the government made it mandatory for all new connections to be activated against Aadhaar details. “It is not that data is entirely visible there. You will get details only on the RJio number. There is a search engine on the website,” Doshi explained. The presence of Aadhar details, which includes biometrics, had raised concern in certain quarters after the data breach came to light over the weekend.
When asked about the difference between a data theft which was being feared initially and an unauthorised access to data servers, Doshi said, “theft means you have to download the data from a server. But in the present case that is not what happened. This is not data theft.”
Accordingly, he said police will drop the first FIR filed under Section 379 of IPC (theft) but the charges under sections 43(c) read with Section 66 of the IT Act will remain. The case is being probed jointly by the Navi Mumbai Police and the Maharashtra Cyber Cell. Investigators said RJio filed a complaint with the Rabale MIDC police after it came across the website offering user details.
The police have recovered 50 SIM cards from the 35-year-old computer science dropout from Rajasthan arrested in this connection. The cards were recovered in Rajasthan’s Churu district, from the house of one Imran Chippa, a police official told PTI.
The police had earlier recovered a computer, mobile phone and other devices from Chippa, the official said. “Most of the SIM cards recovered are of RJio,” Balsingh Rajput, SP (Maharashtra Cyber) said. “We are interrogating him to ascertain the purpose for which he had obtained these cards.”
Chippa was produced in a local Jaipur court and was sent to the custody of the Cyber Police on transit remand. However, the exact quantum of the subscribers whose data was made available was not immediately known. “It will take some time to know Chippa’s modus operandi and the number of people involved in the data leak,”the official said.
A resident of Sujangarh town in Rajasthan, Chhipa had made the website Magicapk. He claimed to provide Jio user data through his website, police said. When contacted, an RJio spokesperson declined comments. In a statement on late Sunday evening, the company had said claims of the website were “unverified” and “unsubstantiated”.
“Prima facie, data appears to be unauthentic. We want to assure our subscribers that their data is safe and maintained with highest security. Data is only shared with authorities as per their requirement,” it had said.
Jio further said it has “informed law enforcement agencies about the claims of the website and will follow through to ensure strict action is taken”.
After the police complaint was lodged, the Mumbai Police reached Churu after tracking the IP address and took Chhipa into custody last night. Following the data leak, the domain of the website has been suspended. An analysis by the Maharashtra Cyber Police headed by IG Brijesh Singh led investigators to zero in on the location from where the suspected data breach had happened, he said.