Data breach scenario III
Framed for terrorism
For a layperson, what do recent events of data breach and manipulation mean? Are there serious repercussions, especially given the fact that crores of people’s records have been compromised? The chances of an individual being impacted might thus be miniscule.
Deloitte’s Forensic practice in India presents a five part article series where fictitious cases help explain different data breach scenarios and their impact. These cases have been put together based on Deloitte Forensic’s extensive experience of working on some of the top fraud, misconduct and noncompliance investigations in India over the last decade.
Shruti was running between meetings. It wasn’t new for her. Becoming the youngest Partner of a reputed investment management firm had meant sleepless nights, managing multiple projects, keeping clients happy, and not having the luxury of time for herself. As she sipped her coffee and turned the corner, a text message beeped on her phone. It was yet another reminder to link her Aadhaar number and PAN to her bank account. Eight reminders on the same day was too much! Punching the keys furiously, she messaged her assistant Sanjay. “My Aadhaar and PAN are attached. Please link them with my bank a/c, as necessary. Tell them to stop texting me.”
Sanjay didn’t understand why Shruti was always in a hurry, but he knew his job was to deliver quickly without questioning her. Thankfully, he had access to her emails, and swiftly typed out the requisite email to her relationship manager at the bank, Akash Joshi, and attached the PDF files of her Aadhaar Card and PAN. In a hurry, he did not notice that he sent the email to firstname.lastname@example.org.
The van bumped along the road, never going above the speed limit. Inside Sumati tried to calm her furiously beating heart. She couldn’t say if it was nervousness or the effect of the drink her handler had given her this morning. To calm herself, she fidgeted with the colorful vest she was wearing over her clothes, tracing the strap lines and intricate wiring that covered her torso. In a few minutes she would be able to take revenge for the death of her husband. The van started to slow down as it reached its destination. Sumati looked one last time at the crumpled identity card in her hand. She felt a twinge of sadness at the prospect of ruining someone else’s life, but that soon passed.
The van door opened and outside stood Public Chowk – the city’s busiest traffic junction flanked by government offices and a public garden. Sumati closed her eyes and pulled the trigger while chaos ensued.
At 8 p.m. that evening, Shruti was stuck in bumper to bumper traffic. A massive terror attack had gripped the city and the police were checking nearly every car as they approached the various checkpoints placed throughout the city. While her driver tried to navigate through crowded roads, Shruti was busy issuing instructions via email to the managers of the 12 different projects she was overseeing. She did not notice the flashing police lights as her driver approached her neighborhood. “Must be some commotion in the neighborhood. No wonder Ravi called five times,” she thought to her herself when she looked up from her phone. Yet it soon became apparent that those flashing lights were gathered around her house. Seriously concerned, Shruti jumped out of her car as it stopped, and ran into a woman police officer. Before she could say a word, the officer slapped handcuffs on Shruti saying, “You and your husband are under arrest for your involvement in the Public Chowk bombing.”
What went wrong?
Identity cards command a hefty premium in the black market. When Sanjay sent Shruti’s identity cards to Aakash Joshi instead of Akash Joshi, he did not realize the magnitude of his mistake. Aakash initially did not know what to make of receiving someone else’s identity cards. When the owner of a local cyber café told him he could sell someone’s personal information for a substantial sum, Aakash promptly did that.
The data broker who purchased the information began the process of creating a ghost identity. He altered the picture and address on both cards and then used the altered Aadhar Card to procure a SIM card. Then he changed the mobile phone number associated with the Aadhaar Card to the new number he procured with help from a connection at an Aadhaar Kendra. This ensured that one time passwords (OTPs), used as a second layer of authentication, would come to the new number procured using the fake ID. He thus created a ghost identity which could be sold for a few lakhs of rupees.
That ghost identity was bought by Sumati, a trained agent with a terrorist outfit, who had snuck into the country and needed documentation to rent a house, open a bank account, and procure a phone. After she successfully completed her mission, the investigating agencies found that the identity card she had used for all her transactions traced back to Shruti. Shruti was unable to explain how her identity was used by a terrorist, and now faces the possibility of defending several court cases.
A version of this blog post appeared on etcio.com, an initiative of The Economic Times. You may read the article here.
If you have any comments or would like to share your views, please write to us at email@example.com.
Authored by: Sumit Makhija, Partner and Karan Bhasin, Senior Executive, Deloitte India