Back
Hackers claim data breach of 7 million BHIM users; NPCI says no data compromise at app
- By Elite CIO
Jun 07, 2020
11
Hackers claim data breach of 7 million BHIM users; NPCI says no data compromise at app
Source : https://www.techcircle.in/2020/06/01/npci-denies-claims-of-bhim-users-data-breach
The National Payments Corporationof India on Monday denied any data breach at its Unified Payments Interface-based (UPI) digital payments app BHIM, a day after an Israel-basedcyber security group reported that seven million sensitive records have beenleaked.
“NPCI follows a high level ofsecurity and an integrated approach to protect its infrastructure and continueto provide a robust payments ecosystem,” government-run NPCI said in astatement.
The data breach is related to apublicly accessible website, cscbhim.in. The website was being used in acampaign to sign users and business merchants to the app from communitiesacross India.
A research team at vpnMentor, ledby Noam Rotem and Ran Locar, said it discovered a “massive amount of incrediblysensitive financial data connected to India’s mobile payment app BHIM (BharatInterface for Money) that was exposed to the public.”
The data included BHIM-linkedsocial security documents of Aadhaar cards, caste certificates, proof ofresidence, educational certificates, fund transfer screenshots, and PermanentAccount Number (PAN) cards.
All related data from thecampaign was being stored on a misconfigured Amazon Web Services S3 bucket,according to a blog post published on Sunday.
The S3 bucket, the cyber securityresearchers said, contained records from February 2019 and exposed data ofabout 7.3 million people.
“The scale of the exposed data isextraordinary, affecting millions of people all over India and exposing them topotentially devastating fraud, theft, and attack from hackers andcyber criminals,” the researchers further said.
The flagged website is managed byCSC e-Governance Services India, a special purpose vehicle incorporated underthe Companies Act 1956 by the Ministry of Electronics and InformationTechnology ( MeitY), Government of India. The body, engaged in the promotion ofthe country’s Digital India programme, monitors the implementation of commonservices centers scheme (CSCs), according to its website.
The issue, the team said, wasreported to India’s Computer Emergency Response Team (CERT-In) on 28 April. Thebreach was closed on May 22.
Disclaimer –
The information provided herein is on “As Is” basis, without warranty ofany kind.