National Payments Corporation of India (NPCI) developed payments platform BHIM has suffered a data breach which has compromised personal data of more than 7.26 Mn users in India. The data break took place on BHIM’s website and not the application itself, according to a report by Israeli cybersecurity platform vpnMentor.
vpnMentor said that the database, which was found on the web unprotected, had users’ personal details including Aadhaar card details, caste certificates, residence proof, bank records, professional records, certificates, PAN card details, along with financial proofs such as screenshots taken within financial and banking apps.
The database, which was about 409 Gb, also compromised details such as names, dates of birth, age, gender, home address, religion, caste status, biometric details, profile photos, fingerprint scans, ID numbers for government programmes and social security services.
In response to Inc42’s email, NPCI clarified, “We have come across some news reports which suggest data breach at BHIM App. We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations. NPCI follows a high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem.”
According to the research, the BHIM website was promoting the usage of BHIM application across India while adding new merchants to the network. The data of the website was stored on a misconfigured Amazon Web Services S3 bucket which was publicly accessible. Some of the records in the database date back to February 2019.
Notably, S3 buckets are cloud storages which are secured by developers after following several protocols. vpnMentor claimed that the scale of the exposed data is extraordinary, affecting millions of people all over India and exposing them to potentially devastating fraud, theft and attack from hackers and cybercriminals.
Cybersecurity researchers at vpnMentor Noam Rotem and Ran Locar said that the sheer volume of sensitive, private data exposed, along with UPI IDs, document scans, and more, makes this breach deeply concerning. They also pointed out that the breach is similar to a hacker gaining access to the entire data infrastructure of a bank, along with millions of its users’ account information.
After discovering the unprotected database, vpnMentor said it reached out to CERT-in on April 28, 2020, and finally, the database was secured on May 22, 2020.