It was the lure of free recharge after Reliance Jio started charging its customers that led 35 -year-old computer science student Imran Chippa to gain unauthorised access to the company's database systems, a police official said today.
"Chippa got hold of a forwarded message on a chat application which promised people ways to get free recharges. After clicking on the link provided, he found out an ID and password," the official said.
These credentials are the ones given to Jio vendors to be put in a specially designed mobile application for carrying out transactions like recharges for customers.
The credentials (the ID and password found by him) which the accused got were reportedly of a vendor in Odisha. However, Chippa, who had earlier appeared for an MCA exam and was searching for a job, could not get the free recharge that he was seeking, the official said.
He put in Jio mobile numbers on the app after gaining access using the credentials and was surprised to get "personal details" of Jio customers, he said.
"This is when an idea to commercially utilise the data stuck him. Using his skills of computer programming, Chippa began developing an app similar to (the app) TrueCaller and started by creating a Web host," the official said.
In that attempt, he created the website - magicapk.com - which was hosted by Andheri-based company Endurance International Group, he said.
According to police, Chippa claimed to provide Jio user data through his website.
He allegedly started to get unauthorised access to Reliance Jio's systems in the first week of July and the company's customer data started to appear on magicapk.com, he said.
Vigilance officials from Jio were shocked to discover the access given to commoners through the website on July 9 at 5.15pm and continued monitoring the same till 9.30pm, the police official said.
The vigilance officials then approached the Rabale MIDC police station later with a complaint.
"Since getting unauthorised access to Jio's data, the website magicapk.com had got more than 50,000 hits by viewers," Navi Mumbai's Deputy Commissioner of Police (crime) Tushar Doshi told PTI.
On July 9, a telecom industry portal wrote about the alleged data security issues, following which a probe was launched which resulted in the arrest of Chippa from Rajasthan.
He is a resident of Rajasthan's Sujangarh town.
Jio had earlier said that the claims of the website were "unverified" and "unsubstantiated".
"Prima facie, data appears to be unauthentic. We want to assure our subscribers that their data is safe and maintained with highest security. Data is only shared with authorities as per their requirement," it had said.
Jio had said it has "informed law enforcement agencies about the claims of the website and will follow through to ensure strict action is taken".
Doshi had earlier explained that as part of its regular operations, Jio - whose subscriber base had crossed 100 million within six months of the launch - makes certain data available to its retailers through a website and Chippa gained unauthorised access to the company's servers.
Asserting that this excludes sensitive details like Aadhaar details or PAN numbers, Doshi said one was able to get a Jio subscriber's name, email ID, SIM activation date, telecom circle and alternate number by putting the Jio number in the search command.
Reliance was one of the first operators to add customers solely on the basis of Aadhaar details as address and identity proof. Later, the government made it mandatory for all new connections to be activated against Aadhaar details.
The presence of Aadhar details, which includes biometrics, had raised concern in certain quarters after the data breach came to light.