Cyber Incident Victim: Kerala government's civil supplies department
Date:
Nov 2016
Location:
India
Summary
A hacker breached the Kerala government's civil supplies department website, exposing sensitive personal data of over 34 million residents, including names, addresses, birth dates, income details, and electoral information. The attacker, an IT consultant, claimed he publicly posted the information on Facebook after repeated unsuccessful attempts to alert authorities about critical security vulnerabilities. The breach exploited primitive security measures on the NIC-hosted site, allowing extraction of approximately 100GB of data through simple methods. Exposed data raised concerns about potential misuse for identity theft, SIM duplication, and financial fraud.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early September 2018, an Indian IT consultant based in Tokyo compromised the Kerala Civil Supplies Department's website (civilsupplieskerala.gov), exposing sensitive personal data of approximately 34 million residents. The attacker, identified as N.T.R. from Thiruvananthapuram, accessed and extracted 100GB of beneficiary records from the Public Distribution System (PDS) database over seven days. He subsequently posted the data publicly on Facebook. The breached information included full names, residential addresses, birth dates, gender details, monthly income figures, electoral card numbers, and consumer reference numbers for electricity and cooking gas connections. This dataset covered all 8,022,360 PDS beneficiaries and their family members across Kerala. The National Informatics Centre (NIC), responsible for designing, developing, and hosting the website, had failed to implement basic security measures despite prior warnings. Cybersecurity experts warned the leaked data could enable identity theft, SIM card duplication, and financial account compromises through password resets.
The breach resulted from fundamental security failures in the PDS beneficiary list published under the Food Security Act 2013. N.T.R. exploited the government's decision to publicly list all ration card numbers on the website, enabling him to systematically harvest corresponding personal records through automated requests. He made over 30 million data requests from a single IP address without triggering security blocks typically implemented by servers to prevent scraping. The hacker claimed he had repeatedly alerted NIC and civil supplies officials about vulnerabilities through written communications and phone calls prior to the breach, but received no response. His public disclosure aimed to force accountability for the security negligence. The incident marked one of India's largest government data exposures at the time, with compromised records representing nearly the entire population of Kerala. No official containment measures or victim notifications were detailed in available reports following the disclosure.