Airtel denies hackers’ claim of data breach involving 2.5 million customers’ records

Cybersecurity researcher Rajshekhar Rajaharia thinks the hackers gained access to Airtel’s customer database using the company’s Subscriber Details Record (SDR) portal and that there are signs of a Pakistani hacker group being behind the attack.

Hackers published what they claim is the personal information of 2.5 million Airtel subscribers from Jammu & Kashmir on a public website, according to independent cybersecurity researcher Rajshekhar Rajaharia. The data included full names, mobile phone numbers, dates of birth, addresses, and Aadhaar IDs.

On 3 February 2021, the day after Rajaharia’s revelation, Airtel rejected the finding, saying that there was no data breach from the company’s end and that the data released by the hacker group showed “glaring inaccuracies”.

The hacker group Red Rabbit initially claimed that it was able to upload a ‘shell’ to the Airtel server, granting it remote control of a machine.

Rajaharia, though, thinks the data is more likely to have come from the Airtel’s Subscriber Details Record (SDR) portal. Telecom companies grant government law enforcement agencies access to their SDR portals for surveillance and criminal investigation purposes.

He said he viewed an email conversation between Red Rabbit and Airtel’s security team, in which the latter requested the hackers to take down the website hosting the leaked data till the company was able to investigate the breach.

Rajaharia was also able to independently verify some of the data by matching numbers from the compromised database with that presented by the Truecaller app or on the Aadhaar portal.

A Pakistani connection?

Rajaharia said that Airtel was able to have the website hosting the leaked data taken down, but the hackers responded by hosting the database again on five different websites. The hacker group also shared a Telegram ID with major Indian media outlets to prove that the hack was authentic.

Furthermore, the hackers isolated the information of army personnel in Jammu & Kashmir and posted that database on a public website as well.

Rajaharia pointed out that the website that hosted the stolen data, livefibre.in was a GoDaddy domain that was hacked by ‘Mr. Clay’, belonging to the hacker group TeamLeets, on 4 December 2020. TeamLeets, the researcher said, is one of Pakistan’s biggest hacker groups.

“Red Rabbit posted the stolen database on a website hacked by TeamLeets, and that can only be possible if Red Rabbit is either TeamLeets or belongs to the hacker group,” said Rajaharia. “The fact that Jammu & Kashmir was targeted—and specifically army personnel stationed in the state—points to a Pakistani connection,” he added.

The Facebook page of the hacker group TeamLeets says: “Our target is to break the security—We are Pakistani Leets.”

Copyright © 2021 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.