ICMR Breach: Stolen Credentials Opened Government Health Records

Indian Council of Medical Research systems holding hundreds of millions of health and personal records were reached after attackers reused credentials from earlier dumps and infostealer logs. Once inside, they moved laterally using session tokens and API calls that required no further verification. Verizon’s 2025 DBIR shows that 54 percent of ransomware victims had domains listed in credential dumps, matching the pattern seen here. IBM’s 2025 Cost of a Data Breach Report places the average incident at $4.44 million with a mean identification and containment time of 241 days.

The exposure followed a standard sequence: valid email and password pairs granted initial access, after which issued tokens allowed sustained reach into databases without repeated authentication prompts.

How Reusable Credentials Created the Initial Foothold

Leaked corporate credentials allowed direct login without additional tooling. Because the same username and password combinations remained valid across systems, attackers needed only one successful authentication to obtain session material. This material then served as the key for subsequent database queries and API access. The absence of any central credential repository did not matter once the reused values had been obtained elsewhere.

Why Traditional Second Factors Failed to Block Access

SMS codes and time-based one-time passwords add no protection once primary credentials are known. Attackers who already hold a valid session token can bypass fresh challenges entirely. In this case, the authentication model continued to rely on shared secrets that had been captured in advance, leaving the data reachable for extended periods.

Device-Bound Public-Key Authentication as the Preventive Control

MFA 2.0 replaces reusable credentials with phish-proof, passwordless authentication built on public-key cryptography—the same technology used in Apple Pay and Google Pay. Private keys are created and stored only on the endpoint device, never transmitted or held in any central database. This produces device-bound credentials that support same-device authentication without requiring a second device.

Because no shared secret exists across the identity lifecycle—registration, device onboarding, authorization, authentication, and decommissioning—attackers cannot obtain material that can be reused or replayed. Verification occurs through challenge-response against the public key registered with the relying party. The ICMR exposure shows that the decisive control lies in eliminating phishable factors before any session is established. Without a reusable credential to obtain at the outset, lateral movement never begins.