BHIM (Bharat Interface for Money) app, a popular digital payments app in India recently suffered a data breach from its website’s misconfigured Amazon S3 bucket that exposed highly sensitive information of more than 7.26 million Indians.
Security researchers at vpnMentor discovered a publicly available database of the website cscbhim[dot]in that sized over 409GB and contained personal and private data of Indians such as their names, date of birth, age, gender, home address, religion, caste status, bio-metric details, profile and ID photos, ID numbers for govt. programs and social security security, UPI ids for individual BHIM app users and many more.
The exposed website cscbhim[dot]in is developed by Common Services Center(CSC) e-Governance Services LTD in partnership with Indian government to on-board large number of users and business merchants to the BHIM app. The BHIM app was launched in 2016 by NPCI (National Payments Corporation of India).
“The scale of the exposed data is extraordinary, affecting millions of people all over India and exposing them to potentially devastating fraud, theft, and attack from hackers and cybercriminals,” said the researchers at vpnMentor. “Some affected parties deny the facts, disregarding our research, or playing down its impact. So, we need to be thorough and make sure everything we find is correct and accurate”.
Research team led by Noam Rotem and Ran Locar also added these screenshots (see below images) to claim their legitimate findings:
The team said they reached out to the website’s developers to notify them about the misconfigured and exposed S3 bucket (first discovered on 23 April), but due to no response from the developers, they later contacted CERT-in (India’s Computer Emergency Response Team) on 28 April. CERT-in then acknowledged the discovery and fixes were put right on 23 May.
“It’s difficult to say precisely, but the S3 bucket seemed to contain records from a short period: February 2019. However, even within such a short timeframe, over 7 million records had been uploaded and exposed.” reads the report published by vpnMentor.
“The vpnMentor research team discovered the misconfiguration in CSC’s S3 bucket as part of a huge web mapping project. Our researchers use port scanning to examine particular IP blocks and test different systems for weaknesses or vulnerabilities. They examine each weakness for any data being exposed. Our team was able to access this S3 bucket because it was completely unsecured and unencrypted,” said the report.
Yesterday, NPCI issued a statement denying any data breach or compromise of data on the BHIM app.
“We have come across some news reports which suggest data breach at BHIM App. We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations. NPCI follows high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem,” the NPCI said.
The Impact Of This Data Breach
The information leaked in this massive data breach contained sensitive information exposed, along with UPI IDs, scanned Aadhar cards and other documents.
It could allow cybercriminals to use this data in many ways to perform illegal activities such as financial theft or fraud, impersonation for using identity of stolen user records, or even gain access to account information of millions.
“E-payment platforms and their users in developing countries are popular targets for fraud and theft. Users generally lack financial education and awareness of how scams like those listed above work. They can be easily tricked and swindled by professional fraudsters and criminal rings,” said the researchers. “Our research also suggested that some of the exposed BHIM users were minors, who would be particularly vulnerable to fraudulent schemes”.
“The developers of the CSC/BHIM website could have easily avoided exposing user data if they had taken some basic security measures to protect the data. These include, but are not limited to, securing its web servers, implementing proper access rules, never leaving a system that doesn’t require authentication open to the internet”, said the researchers concluding the report.