Govt Audit Reveals Security Vulnerabilities In NPCI Infrastructure

A government audit revealed several ‘critical’ and ‘high’ risk security vulnerabilities in India’s flagship payments processor, the National Payments Corporation of India (NPCI), according to an internal government document accessed by Reuters. 

The audit, which happened over a period of four months leading up to February 2019, revealed a lack of encryption for personal data with the NPCI, which operates the Unified Payments Interface (UPI), forming the crux of the country’s digital payments infrastructure. The NPCI also runs the RuPay card network, one of PM Narendra Modi’s high-profile initiatives as part of the government’s push for ‘Digital India’. 

The government document from March 2019 notes that information such as 16-digit card numbers, customer’s names, account numbers and other such information was stored in plain text, leaving the data unprotected in the event of a system breach.

“All observations raised in last year’s report have been confirmed as resolved by the NPCI,” India’s National Cyber Security Coordinator, Rajesh Pant, whose office coordinated the audit, said in a statement to Reuters. 

The audit’s findings highlight the challenges faced by the NPCI, an umbrella organisation set up by the Reserve Bank of India (RBI) and the Indian Banks Association (IBA) in 2008, for operating retail payments and settlement systems in India. With the launch of UPI in 2016, the digital payments market in India received a boost and is expected to scale, in terms of volume, from $5.35 Bn in FY19 to $59.77 billion in FY23 at a CAGR of 287%.

According to an Inc42 report from January this year, government data shows that in 2019 alone, India witnessed 3.94 lakh instances of cybersecurity breaches. In terms of hacking of state and central government websites, Indian Computer Emergency Response Team (CERT-In) data shows that a total of 336 websites belonging to central ministries, departments and state governments were hacked between 2017 and 2019. 

According to Nasscom’s Data Security Council of India (DSCI) report 2019, India witnessed the second-highest number of cyberattacks in the world between 2016 and 2018. This comes at a time when digitisation of the Indian economy is predicted to result in a $435 Bn opportunity by 2025.

In a bid to control the growing incidents of cybercrime in the country, the government, in February this year, set up a National Cyber Research, Innovation and Capacity Building Centre in Hyderabad, Telangana. 

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.