In what appears to be a breach of security, an Internet search for a lawyer’s phone number led a Mumbai-based researcher to large troves of data ( >http://knowledge.bankofindia.com:8080 ) that looks like a directory comprising scores of folders stored on the Bank of India portal. Each folder comprised documents that indexed data, which included user IDs, names, date of birth, email IDs, passwords, details of branch and head offices. One of the many folders accessed by The Hindu listed details of what appeared to be personal data pertaining to more than 42,000 users.
While there is little doubt that there has indeed been a security lapse, it is unclear whether this data compromises the bank or its customers in any way. When contacted, a Bank of India official claimed that this data “was by no means sensitive”, but merely a repository of employee information stored “for internal communication purposes”.
Sameer J. Ratolikar, Chief Information Security Officer, Bank of India, told The Hindu that the data is from “an internal knowledge portal that was shut down in 2006.”
Mr. Ratolikar said that there was no security breach as the data was old and not related to costumer databases. “We had an old system in 2006 which was available from the Internet for overseas branches and this file was part of that old communication.” When asked if it was not a breach that one of the fields contained data as critical as passwords and date of birth was up on the internet, he said: “The passwords are not valid as the system has been dysfunctional for long. We have written to Google to remove contents from it's cache.”
That this data, even if only employee information, was accessible on the web, violates privacy. Among the email IDs listed in the files accessed by this correspondent were a few that were registered with a Bank of India domain name. But there were also many personal IDs. One of the users even mentioned a date of birth as 1945.
Oommen C. Kurian, the Mumbai-based health researcher, who found the data during a routine search on Wednesday morning, first alerted the bank. After repeated calls, BOI cut off access to the directory by early evening. A BOI costumer himself, Mr. Kurian said he was intrigued when he found files with over 40,000 user details listed. He claims that he was also able to find files linked to names selected for increments, and internal documents, some of them created in 2011. “It is a clear breach of security that all this data is out in the open. It is incredible that such data is so freely accessible on Google. Even if the database is old, as the bank has claimed, it doesn't mean it is redundant,” he said, pointing out that even if the data is old, many of the passwords may still be valid and that many people use the same password across different accounts.
