What you need to know
- Indian mobile payment app BHIM reportedly suffered a data breach a few weeks back, exposing sensitive financial data of over 7 million users.
- The security bug was reported to the NCPI on April 23, and it was fixed roughly a month later.
- Bharat Interface for Money (BHIM) app was launched in 2016 by the National Payments Corporation of India (NPCI).
The research team at vpnMentor has discovered that a massive amount of sensitive financial data connected to India's BHIM mobile payment app was exposed to the public. As per the cybersecurity website, all data from the BHIM website, which was used in a campaign to get millions of Indian users and business merchants to start using the app, was stored on a "misconfigured Amazon Web Services S3 bucket" and was publicly accessible.
S3 buckets are among the most popular forms of cloud store globally, but require developers to set up the security protocols on their accounts. Since the unsecured S3 bucket wasn't configured properly, the data may have been easily accessed by hackers and cybercriminals. The security research team at vpnMentor tried reaching out to the website's developers about the misconfiguration but did not receive any response.
On April 28, 2020, five days after discovering the misconfiguration, vpnMentor contacted India's Computer Emergency Response Team (CERT-In) about the issue. The security issue was finally fixed around May 22, after the CERT was contacted a second time.
As per vpnMentor, there were around 7.26 million records in the S3 bucket, with the total size estimated to be 409GB. The records contained in the misconfigured S3 bucket included scans of Aadhaar cards, caste certificates, photos used as proof of residence, Permanent Account Number (PAN) cards, and more. These records gave a complete profile of individuals, including their full names, age, residential address, biometric details, banking records, and ID numbers for various government programs.
The NPCI, however, has denied the report and said in a statement that there has been no data breach at BHIM app. It has also requested everyone to "not fall prey to such speculations."