BSNL's 278-GB Leak: Why Your SIM Is Your Real ID — and Why That's a Problem

BSNL's 278-GB Leak: Why Your SIM Is Your Real ID — and Why That's a Problem

In May 2024, BSNL suffered a breach that exposed 278 gigabytes of sensitive telecom data — including International Mobile Subscriber Identity numbers, SIM card details, home location registers, and operator-side data that maps your SIM to your physical location history. For the 100-plus million BSNL subscribers in India, this was not a data breach. It was a blueprint for identity theft.

Your SIM Is Your Real Identity

India has built its entire digital economy on the mobile number. Your UPI address is linked to it. Your bank's OTP system depends on it. Your WhatsApp, your food delivery apps, your government benefit registrations, your income tax portal — every one of these uses your phone number as either a primary identifier or a fallback verification method.

This made the mobile number the most valuable single piece of information an attacker can have. The BSNL breach did not just expose subscriber data. It exposed the underlying infrastructure of how those SIMs work — the kind of technical detail that makes SIM-swap attacks and OTP interception significantly easier to execute.

You have one phone number connected to your bank, your wallet, your WhatsApp, and your tax filings. Attackers have one target. The economics of this are not in your favour.

What SIM Cloning and OTP Interception Actually Look Like

A SIM-swap attack begins with an attacker calling your telecom provider's customer service line or visiting a franchise outlet. They claim to be you. They say their phone was lost or the SIM was damaged. With your name, number, Aadhaar, and address — all available from multiple Indian breaches — they pass the verification questions. A new SIM is issued. Your SIM goes dead. Theirs starts receiving your OTPs.

The entire account takeover happens in minutes. They log into your bank, trigger a password reset via OTP, change the password, and transfer funds. By the time you realise your SIM has stopped working and call your provider, the money is gone.

For gig workers, small business owners, and anyone running a business on UPI, this is not an abstract threat. Your livelihood runs through that phone number. One successful SIM-swap can drain your working capital overnight.

The Specific Risk for Students and First-Time Digital Users

India's student population and first-time digital users are disproportionately affected by SIM-based attacks for two reasons. First, they are more likely to use a single SIM for everything — personal, financial, and social — because they cannot afford or do not know to separate them. Second, they are more likely to be targeted by the low-sophistication scams that the BSNL data enables: fake internship offers, fake scholarship OTP requests, and fake delivery rescheduling messages that harvest credentials.

Five Things to Do Before You Sleep Tonight

  • Set a SIM PIN immediately. Go to your phone's SIM settings and set a 4-8 digit PIN that must be entered if the SIM is removed and placed in a different device. This does not prevent a carrier-level SIM-swap but adds a layer of friction for physical theft.
  • Call BSNL or your provider and request that no duplicate SIM be issued without you physically visiting a company-owned store with your original photo ID. Keep a note of the customer service representative's name and the date you made this request.
  • Move your banking OTPs to a separate SIM or use an authenticator app instead. If you use a dual-SIM phone, put your banking-linked number on a SIM you never share in any form online.
  • Audit every app that uses your phone number as a login. For each one, check whether you can switch to email login or add an authenticator app as the primary 2FA method, reducing dependence on SMS OTPs.
  • Never charge your phone at public USB ports. Hardware skimmers on public charging cables can clone SIM data and install software that intercepts OTPs. Carry a personal power bank.

Worth trying: When your entire financial life runs through one SIM, the solution is to not let that SIM be the only gatekeeper. Byteseal's hardware biometric key adds a layer of authentication that cannot be intercepted over a mobile network — your fingerprint is required, physically, on the device. byteseal.in

Your SIM is not a communication tool anymore. It is your identity, your wallet, and your signature. Treat it with the same security you would apply to a physical bank card — because in India's digital economy, it is worth more than one.

Back to blog