Following a report by security researchers alleging leak of personal data of millions of users of government’s BHIM payment application due to a website breach, the National Payments Corporation of India (NPCI) on Monday denied the claim, asking “everyone to not fall prey to such speculations”.
The report by vpnMentor alleged that the 409-gigabyte of data, comprising about 7.26 million records, was leaked including personal identifiable information such as Aadhaar card details, residence proof, bank records, along with a complete profile of individuals.
As per vpnMentor’s website it is the world’s largest VPN review website and its research lab is a pro bono service that strives to help the online community defend itself against cyber threats, while educating organisations on protecting their users’ data.
The report claims that a website, http://cscbhim.in/, developed by CSC e-Governance Services, in partnership with the Indian government, was being used in a campaign to sign up users and business merchants to the BHIM app. “All related data was being stored on a “misconfigured” Amazon Web Services S3 bucket and was publicly accessible,” it said.
Stored in cloud
The research explained that S3 buckets are a popular form of cloud storage across the world but require developers to set up the security protocols on their accounts. “In this case, the data was stored on an unsecured Amazon Web Services (AWS) S3 bucket.”
“The scale of the exposed data is extraordinary, affecting millions of people all over India and exposing them to potentially devastating fraud, theft, and attack from hackers and cybercriminals,” it said, adding that the developers of the website could have easily avoided exposing user data if they had taken some basic security measures to protect the data.
The researchers also pointed out after receiving no reply from the website’s developers, they reached out to India’s Computer Emergency Response Team (CERT-In) twice, following which the breach was closed.
“We have come across some news reports which suggest data breach at BHIM App. We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations. NPCI follows high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem,” NPCI said in a statement.
