Security researchers found that about 7.26 million records linked to mobile payment application BHIM users were exposed to the public by the website.
VPN review site vpnMentor reported that the exposed data included sensitive information such as name, date of birth, age, gender, home address, caste status and Aadhaar card details.
A security researcher at vpnMentor wrote in a blog post on Sunday: “The scale of the exposed data is very large, affecting thousands of people in India and exposing them to potentially devastating fraud, theft and hacking And cybercriminals.”
The BHIM (Bharat Currency Interface) application provided by the National Payment Corporation of India (NPCI) was launched in 2016.
NPCI denies data breach
NPCI said in a statement on Monday: “There is no data leakage in the BHIM App.”
“We found some news reports that hinted at a data breach in the BHIM App. What we want to clarify is that there was no data breach in the BHIM App and asked everyone not to succumb to such speculation. NPCI follows high security and security principles. Protection Its infrastructure continues to provide a comprehensive approach to a strong payment ecosystem.” NPCI said.
In its report, vpnMentor also said that the website that leaked the data was developed by a company called CSC e-Governance Services LTD. Cooperation with the Indian government.
After the researchers contacted the Indian Computer Emergency Response Team (CERT-In) twice within a month, the problem was resolved in late last month.
The researchers said: “In this case, the data is stored in an insecure Amazon Web Services (AWS) S3 bucket,” adding that S3 buckets are a popular form of cloud storage globally, but require developers to Set up a security protocol. Their account.
“We contacted the developers of the website to inform them of the misconfiguration in the S3 bucket and provide assistance. After receiving no response, we contacted the Computer Emergency Response Team (CERT-In) of India, which is responsible for Network security,” they added.
Research led by Noam Rotem of vpnMentor shows that CSC seems to have established a website connected to a misconfigured S3 bucket to promote the use of BHIM in India, and registered such applications as mechanics, farmers, service providers and Store owners wait for new merchant businesses and Ran Locar.
The amount of public data first discovered by security researchers on April 23 was 409GB.
The report said: “It’s hard to say exactly, but the S3 bucket seems to contain a short-term record: February 2019. However, even within such a short period of time, more than 7 million records have been uploaded and exposed.
It added: “The exposure of BHIM user data is similar to hackers gaining access to the bank’s entire data infrastructure and its millions of user account information.”
(Input from IANS)