Leak in system: Delhi Jal Board site feature exposes millions to scammers
A feature on the Delhi Jal Board's website has created a vulnerability that potentially allows scammers easy access to tens of thousands of residents' personal information, which may have enabled frauds worth at least ₹10 crore in four months, according to police.
The DJB's 'Know Your KNO' portal, designed to help citizens find their 10-digit water connection identifier, inadvertently functions as a data harvesting tool. Anyone can input a partial address—as few as 10 characters—and access detailed results showing residents' full names, addresses, mobile numbers, and unique connection numbers (KNOs). These KNO numbers can then be used to get bill details of individual customers.
With 2.9 million water connections across Delhi potentially exposed through this vulnerability, fraudsters pose as DJB officials and contact victims with urgent disconnection threats, using their personal and bill details to establish credibility before stealing money through malicious mobile applications or other means.
The scam now accounts for approximately 20% of all cybercrimes reported in Delhi, according to multiple police station house officers across the capital.
According to cyber officials, at least 5,000 complaints are received on NCRP each month in Delhi. Of these, more than 700 are complaints related to DJB fraud. Police said FIRs are limited to 100-200 as many complainants make double complaints or file wrong information.
'The accused sent a message saying my DJB connection will be cut off tonight as my metre reading was not updated,' said Laxman Agarwal, a 52-year-old RK Puram resident who lost ₹38,000 in May. 'He knew my address, my phone number, my KNO number and meter status. He said the pending amount was ₹12.'
The method involves convincing targets to visit a malicious link or install an application.
Agarwal downloaded an application file that appeared genuine, complete with DJB logos. 'As soon as I put my banking details, it showed an 'unsuccessful' transaction. While I was on the call with the accused, he quickly took out money in three transactions. I didn't even give him an OTP.'
A businessman from Vasant Kunj lost over ₹1.5 lakh in a similar manner. 'The message said my connection would be disconnected in three hours. It's summer and losing water connection was scary,' he said, requesting anonymity. 'In less than an hour, ₹1 lakh was withdrawn from my two bank accounts.'
The scammers typically claim small pending amounts—often just ₹12—to avoid suspicion. However, once victims engage, they lose significantly larger sums, usually between ₹20,000 and ₹50,000, according to a police inspector in the south range.
Deputy commissioner of police (southwest) Amit Goel said his force has received multiple complaints over the past four to five months. 'The scale of the scam is growing as multiple gangs are misusing data from DJB and targeting unsuspecting victims.'
On June 2, police arrested three men from Jamtara and Deoghar in Jharkhand. Analysis of their devices revealed involvement in 35 additional cases, with one mobile number alone used to target 14 victims.
Police estimate that at least 100 people fall victim to this scam in a month, though no collated figure was available. The total losses, an official said, has reached ₹10 crore over four months.
'We have written to DJB and even issued warnings on social media. However, the cases keep on increasing. DJB should either restrict access or do something,' said a deputy commissioner-level officer, asking not to be named.
A freelance journalist from Inderpuri who lost ₹8,000 this week highlighted the broader problem: 'The biggest issue is that DJB has all the data and anyone can see it.'
Even senior officials are targeted. A senior IAS officer in Kidwai Nagar received such a message on Monday, claiming a ₹12 pending amount would result in disconnection. He spoke to the person but on learning that the caller's number was 'active in Jharkhand', he realised it was a scam and did not fall prey to it.
DJB released an advisory and officers shared details of their plan to make people aware of the scam.
On June 3, DJB issued a social media advisory stating: 'It has been brought to the attention of DJB that its consumers are being contacted through mobile calls/SMS/WhatsApp messages by individuals falsely claiming to be from DJB... All consumers are urged to remain alert.'
For now, DJB is not planning make changes to vulnerable portal, an official said.
Since June, we have been spreading awareness about the scam through press releases, ads, social media and other platforms. At present, we are asking all our customers to call us and not fall prey to any of the calls or messages. We don't cancel any connection through messages. Also, people can check any meter update on our genuine website. For now, we are not making any changes to the website because people want to know the KNO and can't come to our office all the time,' a DJB official, asking not to be named.
Dr Pavan Duggal, a cybersecurity expert, said, 'These cases are happening as cyber security loopholes are being exploited by fraudsters. This is not limited to DJB but multiple government portals. We need to have better cybersecurity systems in place to avoid this. Also, giving out all these personal details of the customers openly is in violation of the IT rules and regulations. The fraudsters are using the loophole to scam people. The system will have to be amended in a manner that effective remedies are provided to citizens, improved cyber security of government portals are in place and people need to be encouraged to improve cyber safety on their own.'
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
New Indian Express
a day ago
- New Indian Express
Telangana HC notice to Naveen Mittal in evacuee property NOC case
In the second petition, Agarwal contested a decision of the trial court which had kept in abeyance the cognisance proceedings against Mittal and other public servants due to the pending sanction under Section 197 CrPC. The petitioner alleged that the NOCs were issued illegally to third parties in criminal collusion with other accused persons. She claimed that forged and fabricated documents were used and that the NOCs were issued with false recitals. She also alleged that objections raised by her were recorded without her being served any notice or given an opportunity to be heard. The NOC proceedings allegedly went so far as to declare the title and possession in favour of the applicants, effectively undermining her own claim to the property. Agarwal asserted that the entire process was aimed at misclassifying the disputed land as 'non-evacuee' property, thereby nullifying her title which is based on GO No 388 dated December 20, 1954. This government order had declared the subject land as evacuee property, forming the basis of her claim. The two writ petitions came up for hearing before separate Single Judge Benches — one headed by Justice K Lakshman and the other by Justice N Tukaramji. After hearing the submissions, both benches issued notices to Mittal.
New Indian Express
a day ago
- New Indian Express
Ex-municipality chairman among five held for extortion of money from truckers
JHARSUGUDA: Lakhanpur police on Wednesday night arrested five persons including former chairman of Brajrajnagar municipality Kishor Agarwal for allegedly extorting money from truck drivers loading coal at Lakhanpur opencast mines. Apart from prime accused Agarwal (65) of Lamtibahal, his associates Stifen Paramanik, Amarendar Singh, Sujit Kerketta and Sashi Dhar Chouhan were arrested under sections 296, 308 (6), and 61 (2) of BNS. The arrests were made on basis of a complaint filed by one Sunny Ram (36), a truck driver of Simdega in Jharkhand, alleging coercion and threats by the accused. Ram filed the complaint on June 18 alleging that the accused demanded Rs 145 per truckload to affix a seal on loading slips, essential for issuing challans. The driver claimed he was transporting coal in his truck when Singh and two of his associates approached him and demanded money. When he refused, they reportedly manhandled him and threatened him with dire consequences. The accused also warned that his truck would be blacklisted if he did not pay. Ram further said the three accused claimed to be operating under Agarwal's instructions and boasted of high-profile connections. Fearing retribution, the driver paid the amount, and a seal marked 'LSS' was placed on his loading slip. Brajrajnagar SDPO Chintamani Pradhan said basing on the complaint, police registered a case and started investigation. Subsequently, the five accused were arrested and produced in court. Sources said around 400 to 500 trucks, each carrying 17 to 18 tonne of coal, are dispatched daily from Lakhanpur opencast mines to various industries like Vedanta, JSW, BPSL and Hindalco. Agarwal, who owns IB Valley transport, allegedly collected Rs 5 per tonne of coal from transporters. He had secured a tender of Mahanadi Coalfields Limited (MCL) at 99 per cent discount to load 400–500 trucks daily at Lakhanpur mines using his payloaders. The illegal collection of money was going on for years. Contacted, general manager of Lakhanpur Area AK Pandey said they support coal dispatch by rail and oppose transport by trucks. Steps are being taken to stop illegal collection from truck drivers, he added.
Hindustan Times
2 days ago
- Hindustan Times
Leak in system: Delhi Jal Board site feature exposes millions to scammers
A feature on the Delhi Jal Board's website has created a vulnerability that potentially allows scammers easy access to tens of thousands of residents' personal information, which may have enabled frauds worth at least ₹10 crore in four months, according to police. The DJB's 'Know Your KNO' portal, designed to help citizens find their 10-digit water connection identifier, inadvertently functions as a data harvesting tool. Anyone can input a partial address—as few as 10 characters—and access detailed results showing residents' full names, addresses, mobile numbers, and unique connection numbers (KNOs). These KNO numbers can then be used to get bill details of individual customers. With 2.9 million water connections across Delhi potentially exposed through this vulnerability, fraudsters pose as DJB officials and contact victims with urgent disconnection threats, using their personal and bill details to establish credibility before stealing money through malicious mobile applications or other means. The scam now accounts for approximately 20% of all cybercrimes reported in Delhi, according to multiple police station house officers across the capital. According to cyber officials, at least 5,000 complaints are received on NCRP each month in Delhi. Of these, more than 700 are complaints related to DJB fraud. Police said FIRs are limited to 100-200 as many complainants make double complaints or file wrong information. 'The accused sent a message saying my DJB connection will be cut off tonight as my metre reading was not updated,' said Laxman Agarwal, a 52-year-old RK Puram resident who lost ₹38,000 in May. 'He knew my address, my phone number, my KNO number and meter status. He said the pending amount was ₹12.' The method involves convincing targets to visit a malicious link or install an application. Agarwal downloaded an application file that appeared genuine, complete with DJB logos. 'As soon as I put my banking details, it showed an 'unsuccessful' transaction. While I was on the call with the accused, he quickly took out money in three transactions. I didn't even give him an OTP.' A businessman from Vasant Kunj lost over ₹1.5 lakh in a similar manner. 'The message said my connection would be disconnected in three hours. It's summer and losing water connection was scary,' he said, requesting anonymity. 'In less than an hour, ₹1 lakh was withdrawn from my two bank accounts.' The scammers typically claim small pending amounts—often just ₹12—to avoid suspicion. However, once victims engage, they lose significantly larger sums, usually between ₹20,000 and ₹50,000, according to a police inspector in the south range. Deputy commissioner of police (southwest) Amit Goel said his force has received multiple complaints over the past four to five months. 'The scale of the scam is growing as multiple gangs are misusing data from DJB and targeting unsuspecting victims.' On June 2, police arrested three men from Jamtara and Deoghar in Jharkhand. Analysis of their devices revealed involvement in 35 additional cases, with one mobile number alone used to target 14 victims. Police estimate that at least 100 people fall victim to this scam in a month, though no collated figure was available. The total losses, an official said, has reached ₹10 crore over four months. 'We have written to DJB and even issued warnings on social media. However, the cases keep on increasing. DJB should either restrict access or do something,' said a deputy commissioner-level officer, asking not to be named. A freelance journalist from Inderpuri who lost ₹8,000 this week highlighted the broader problem: 'The biggest issue is that DJB has all the data and anyone can see it.' Even senior officials are targeted. A senior IAS officer in Kidwai Nagar received such a message on Monday, claiming a ₹12 pending amount would result in disconnection. He spoke to the person but on learning that the caller's number was 'active in Jharkhand', he realised it was a scam and did not fall prey to it. DJB released an advisory and officers shared details of their plan to make people aware of the scam. On June 3, DJB issued a social media advisory stating: 'It has been brought to the attention of DJB that its consumers are being contacted through mobile calls/SMS/WhatsApp messages by individuals falsely claiming to be from DJB... All consumers are urged to remain alert.' For now, DJB is not planning make changes to vulnerable portal, an official said. Since June, we have been spreading awareness about the scam through press releases, ads, social media and other platforms. At present, we are asking all our customers to call us and not fall prey to any of the calls or messages. We don't cancel any connection through messages. Also, people can check any meter update on our genuine website. For now, we are not making any changes to the website because people want to know the KNO and can't come to our office all the time,' a DJB official, asking not to be named. Dr Pavan Duggal, a cybersecurity expert, said, 'These cases are happening as cyber security loopholes are being exploited by fraudsters. This is not limited to DJB but multiple government portals. We need to have better cybersecurity systems in place to avoid this. Also, giving out all these personal details of the customers openly is in violation of the IT rules and regulations. The fraudsters are using the loophole to scam people. The system will have to be amended in a manner that effective remedies are provided to citizens, improved cyber security of government portals are in place and people need to be encouraged to improve cyber safety on their own.'
