The dark web has turned out to be an unnerving market for the private COVID information of nearly 815 million citizens of India. This is likely the largest data leak in India till date.
COVID-19 test data held with the Indian Council of Medical Research (ICMR) was named as the source of the data on the dark web.
Indian COVID data sale was initially noticed by the American cybersecurity and intelligence agency, Resecurity.
In the COVID data sale post made on the dark web, the cybercriminal was claiming to sell the personal information of 815 million Indians.
The information in the COVID test data sale included:
The COVID-19 test data sale also included passport information and that of the Aadhaar card. Aadhaar, which translates to Support in the Hindi language is a government program that relays a 12-digit unique identity number to each citizen of India.
The cybercriminal who advertised the allegedly largest COVID test data sale in the country on the breach forum has an account on X.
The user is present on the breach forum by the alias pwn0001. The user put up the Indian COVID test data sale post on October 9, 2023. The post with the headline Indian Citizen Aadhaar & Passport Database 2023 claimed to have details including age, gender, and father’s name.
The ICMR COVID-19 test samples amounted to over 90 GB according to the breach forum sale post. The file was available in XIP-CSV format.
The data was shared in spreadsheets with four samples including Aadhaar data as proof. One of the samples of the COVID test data included 100,000 personally identifiable information.
An independent analyst identified the samples to be containing genuine Aadhaar card IDs. The data was confirmed by checking with the government portal offering a feature to verify Aadhaar credentials.
The threat actor behind the Indian COVID data sale has not been identified by law enforcement agencies so far.
The Indian Computer Emergency Response Team (Cert-In) has alerted the ICMR about the news of the alleged ICMR COVID data breach. It is not clear if the hacker breached the systems of ICMR or stole the data from other sources.
Cert-In had asked the ICMR to verify the samples of data on the dark web with those in their database.
According to reports, the samples have been verified and COVID test data sale matched with those with the ICMR. Following this, several top officials from various agencies and ministries have been asked to investigate the ICMR COVID test data breach.
Since the ICMR COVID data leak is said to expose sensitive information of millions of people in India, the incident is likely to be probed by the Central Bureau of Investigation (CBI).
It was found that foreign actors were involved in the COVID-19 data breach, and a premium agency is speculated to be taking the case for investigation.
To prevent further damage, all the necessary steps with the standard operating procedure have been followed.
This probe is to begin upon receiving a complaint from the ICMR.
The COVID-19 data leak is speculated to be a result of a hacking incident as the ICMR has been subjected to over 6,000 attempts in 2022. The central agencies as well as the council have been aware of the cyberattack attempts.
The agencies had asked the ICMR to take steps to prevent data theft.
Previously, COVID-19 data of Indians was allegedly leaked in February 2023 after a cybercriminal accessed data from the government portals.
The Cyber Express emailed the ICMR for comments asking about the alleged COVID data breach. We will update this report upon receiving a response.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
A new paper gives an insider’s perspective into CISA’s Known Exploited Vulnerability catalog – and also offers a free tool…
The Cyber Express weekly roundup examines cyberattacks, AI misuse, data leaks, and regulatory pressure defining cybersecurity in early 2026.
This Spain Ministry of Science cyberattack incident does not exist in isolation.
The La Sapienza cyberattack shut down systems at Italy’s largest university, with reports linking the incident to BabLock malware and…
Trusted Access for Cyber is OpenAI’s new framework to expand secure use of GPT-5.3-Codex and ChatGPT for vetted cyber defenders.
Mitigating risk from End-of-Support edge devices is no longer about compliance, it’s about survival.
This website uses cookies. By continuing to use this website you are giving consent to cookies being used.
Read More