NE SCIENCE & TECHNOLOGY BUREAU
AHMEDABAD, JUNE 4
The research team at vpnMentor, an online security firm said that sensitive financial and personal data related to BHIM, India’s mobile payment app was exposed to the public. The firm said that the data over 400GB containing over seven million sensitive records “affecting millions of people all over India” were being exposed from an “misconfigured Amazon Web Services S3 bucket.”
The NCPI has refuted the allegations of vpnMentor and claimed that BHIM App is very safe and secured.
The team said that the sensitive records that were exposed to the public include scans of Aadhaar cards, scans of caste certificates and Permanent Account Number (PAN) cards. According to the vpnMentor report, the research team discovered the issue on April 23 and reached out to India’s Computer Emergency Response Team (CERT) on April 28. However, the breach was said to be closed only on May 22 after the research team at vpnMentor reached out to CERT for the second time.
“The sheer volume of sensitive, private data exposed, along with UPI IDs, document scans, and more, makes this breach deeply concerning. The exposure of BHIM user data is akin to a hacker gaining access to the entire data infrastructure of a bank, along with millions of its users’ account information. Having such sensitive financial data in the public domain or the hands of criminal hackers would make it incredibly easy to trick, defraud, and steal from the people exposed. Our research also suggested that some of the exposed BHIM users were minors, who would be particularly vulnerable to fraudulent schemes,” according to Noam Rotem and Ran Locar.
The BHIM (Bharat Interface for Money) mobile payment app was launched in 2016 by the National Payments Corporation of India (NPCI). By 2020, the NPCI recorded over 136 million downloads of the BHIM App. Led by Noam Rotem and Ran Locar, vpnMentor’s research team discovered a massive amount of incredibly sensitive financial data connected to the BHIM mobile payment app was exposed to the public.
The website was being used in a campaign to sign large numbers of users and business merchants to the app from communities across India. According to vpMentor, some related data from this campaign was being stored on a misconfigured Amazon Web Services S3 bucket and was publicly accessible.
The scale of the exposed data is extraordinary, affecting millions of people all over India and exposing them to potentially devastating fraud, theft, and attack from hackers and cybercriminals.
The developers of the CSC/BHIM website could have easily avoided exposing user data if they had taken some basic security measures to protect the data