A Customs department official, identified as Rahul Sinha, has been detained by the Intelligence Fusion and Strategic Operations (IFSO) unit of the Delhi Police for allegedly selling sensitive trade data from protected government systems to private companies, including firms based in China. The case stems from an FIR registered on March 10 under the Information Technology Act, the Customs Act, and provisions of the Bharatiya Nyaya Sanhita covering conspiracy, cheating, and breach of confidentiality.
What Happened
The investigation was triggered by a complaint filed on February 27 by the Joint Director (Data Centre and Cyber Security), Directorate General of Systems. The complaint alleged unauthorised access, extraction, disclosure, and commercial sale of sensitive customs data drawn from notified protected systems classified as critical information infrastructure (CII) under Indian law. Sinha is currently in police custody and being questioned by the IFSO unit. DCP (IFSO) Vinit Kumar confirmed the matter is under active investigation but declined to share further operational details.
What Was Taken
According to the FIR, the compromised dataset includes both personally identifiable information and commercially sensitive trade data processed and stored in central government databases. Specifically, the leak covers detailed pricing data, sourcing patterns, supplier relationships, trade volumes, logistics chain information, and market positioning details for Indian exporters and importers. Investigators describe the material as transaction-level economic intelligence: granular enough that a foreign competitor or data broker could systematically undercut Indian businesses on price and divert export orders.
Why It Matters
This case illustrates the strategic risk posed by insider threats inside critical information infrastructure, particularly when the buyer base is foreign-aligned. Customs trade data is dual-use intelligence: it informs commercial decision-making but also reveals supply chain dependencies, sanctioned-goods flows, and the competitive posture of an entire national export sector. Misuse at scale can suppress export margins, distort fair market competition, erode foreign exchange inflows, and ultimately undermine national economic resilience. For defenders, the incident is a reminder that the most sensitive datasets in government systems are not always classified material, but commercial records whose aggregation creates strategic value.
The Attack Technique
The complaint indicates the data may have been extracted through one or a combination of three vectors: misuse of legitimate user passwords, abuse of insider access privileges, or third-party access to the customs systems. No external intrusion or malware deployment has been publicly disclosed. The pattern is consistent with a privileged-insider exfiltration model, in which an authorised user with legitimate credentials systematically queries and extracts records from protected systems for monetisation through buyers identified offline. The buyer-side allegedly involves shell or front companies based in China that aggregate the stolen records.
What Organizations Should Do
- Treat trade, customs, and logistics datasets as strategic assets and review which roles have bulk-query or export rights against them.
- Deploy User and Entity Behavior Analytics (UEBA) on CII systems to flag anomalous query volumes, off-hours access, and unusual data export patterns by privileged users.
- Enforce strict separation of duties for database administrators, with mandatory dual-control approval for bulk data extracts and queue-level audit logging.
- Audit all third-party and contractor access to customs and trade processing systems, and revoke standing credentials in favour of just-in-time access provisioning.
- Implement Data Loss Prevention (DLP) tooling at endpoint and network egress points to detect exfiltration of structured trade records over email, cloud sync, and removable media.
- Establish a tipline and coordinated workflow with national CERT and cybercrime units, and rehearse insider-threat response playbooks alongside traditional intrusion scenarios.