Cyber Incident Victim: Narendra Modi Official Website
Date:
Sep 2020
Location:
India
Summary
A cybersecurity firm reported a data breach impacting the official website of India's Prime Minister, resulting in the theft of personally identifiable information from over 570,000 users, including names, contact details, and email addresses. The compromised data, allegedly available for sale on the dark web, also contained financial transaction records of approximately 292,000 donors, with non-public details such as bank reference numbers and payment modes. The breach was linked to a prior compromise of the website’s associated Twitter account. The firm claimed to have notified India’s national cybersecurity agency, though no official confirmation or denial was issued by the relevant authorities or the website administrators at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In October 2020, cybersecurity firm Cyble reported a data breach impacting narendramodi.in, the official website of Indian Prime Minister Narendra Modi. The firm alleged that attackers stole Personally Identifiable Information (PII) of approximately 574,000 users, including names, email addresses, and contact details. Cyble discovered the breach after being tipped off on October 10, 2020, about the database being sold on dark web marketplaces. Analysis revealed the stolen data included two primary databases: 'cctransactions' containing financial donation records and 'users' containing subscriber information. The transaction records exposed sensitive payment details such as bank reference numbers and payment modes. Approximately 292,000 users had made donations through the platform for initiatives including COVID-19 relief efforts, political party support, and Swachh Bharat campaigns. Cyble linked this breach to a September 3, 2020, incident where attackers compromised the website's associated Twitter account. The firm notified CERT-In, India's national cybersecurity agency, about the breach prior to their public disclosure on October 16.
The stolen datasets posed significant risks of criminal misuse due to the combination of financial data and personal identifiers. Donation records revealed microtransaction patterns and specific causes supported by individuals. Cyble acquired samples of the leaked data from dark web sources but did not disclose the asking price or potential buyers. No official confirmation or denial of the breach was issued by the Prime Minister's Office, narendramodi.in administrators, or CERT-In as of the article's publication date. The dark web listing remained active with no publicized containment measures. The incident marked the second known security compromise involving the Prime Minister's digital assets within six weeks, following the Twitter account takeover. Cybersecurity analysts emphasized the operational security implications given the high-profile nature of the target and the inclusion of donor financial information.