Financial and personal data of more than 7 million users left exposed in CSC BHIM website breach, NCPI denies allegations

By Digit NewsDesk | Published on 02 Jun 2020
HIGHLIGHTS
  • Sensitive records of more than 7 million Indians were left exposed by a government website.

  • The breach was discovered by an Israeli cybersecurity website.

  • Everything from scans of Aadhaar cards, caste certificates, photos used as proof of residence, professional certificates, degrees, diplomas, screenshots taken within the app as proof of fund transfers, PAN cards, and more have been left exposed for any malicious hacker to find.

Financial and personal data of more than 7 million users left exposed in CSC BHIM website breach, NCPI denies allegations
Financial and personal data of more than 7 million users left exposed in CSC BHIM website breach, NCPI denies allegations

Sensitive data of more than 7 million BHIM app users have been compromised after a BHIM-related website was found exposed to the public, containing sensitive documents like Aadhaar cards, caste certificates and more, by an Israeli cybersecurity website called vpnMentor. Calling themselves a group of ethical hackers, they had reported the breach to the Indian authorities in April.

The website, http://cscbhim.in/, now taken down, was reportedly storing data on an Amazon AWS server which was kept exposed to the internet. The breach was later plugged by CSC e-Governance Services that built the website on May 22nd, according to the blog post by the cybersecurity firm.

Personal and financial records of 7 million BHIM app users left exposed

The magnitude of the breach is extraordinary. The report claims everything from scans of Aadhaar cards, caste certificates, photos used as proof of residence, professional certificates, degrees, diplomas, screenshots taken within the app as proof of fund transfers, PAN cards, and more have been left exposed for any malicious hacker to find it.

The breach also included the names, date of birth, age, gender, home address, religion, caste status, biometric details, fingerprint scans and ID numbers for government social security services.

The corpus of the breached data indicates this is by far the most comprehensive leak of Indian data, one that can easily be used for identity theft. And there have been quite a few over the past few years. The report mentions that the breached website also contained data of minors with some records belonging to people under 18 years.

Similarly, over 1 million CSV lists of individual app users and their UPI IDs were also left exposed.

Furthermore, the breach contained an APK which could potentially give key access to all data, and the ability to start and stop the AWS servers at will by a malicious agent.

NCPI denied the breach

Digit.in independently reached out to NCPI to verify the breach. To which, the payments corporation that overlooks the online payments landscape in India, as well as the operations of the BHIM app, denied any compromise in their data.

“We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations,” the organisation said in a statement.

“NPCI follows a high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem,” the statement added.

How did the data breach happen?

The website was reportedly used in a campaign to sign up more users and merchants on the BHIM UPI app. The personal records dated as far back as February 2019 with the total size of the dump going up to 409GB.

VpnMentor found an unsecured Amazon Web Services (AWS) S3 bucket housing the data. S3 buckets are a common way of storing data in the cloud but require the developer to designate security protocols to secure the data. The team was quickly able to identify who the data bucket belonged to.

The cybersecurity firm was reportedly working on a huge web mapping project and using port scanning to examine particular IP blocks to test for weaknesses and vulnerabilities. This is when they discovered the unsecured AWS S3 Bucket.

Data left exposed even after informing NCPI and CERT-In

After investigating the breach, vpnMentor first reached out to the website developer CSC e-Governance, for which they did not receive a reply. After that, the group also contacted India’s Computer Emergency Response Team (CERT-In) twice, and only after the second instance was the breach plugged. The website has now been taken down.

Digit NewsDesk
Digit NewsDesk

Email Email Digit NewsDesk

Follow Us Facebook Logo Facebook Logo Facebook Logo

About Me: Digit News Desk writes news stories across a range of topics. Getting you news updates on the latest in the world of tech. Read More

Tags:
NPCI BHIM UPI payment UPI data breach
DMCA.com Protection Status