CSC Bhim app data breach exposed payment, personal details of over 7 million Indians

Leaked data exposed Bhim app users' Aadhaar numbers with name, gender, date of birth, PANs, religion, caste certificates and more
Last Updated 03 June 2020, 16:46 IST

Popular digital wallet Bhim's website suffered a data breach exposing more than seven million Indians' financial and personal details.

Apparently, the user data of the Bhim app website was stored in a misconfigured cloud storage server -- Amazon Web Services S3 bucket. There was no proper security protocol in place to prevent hackers from breaching the server, reported vpnMentor, an Israel-based cybersecurity firm.

The company responsible for the development of the official Bhim website and the care-taker of sensitive data is understood to be the Common Services Center(CSC) e-Governance Services LTD and also partly managed by the Indian government.

"It appears CSC established the website connected to the misconfigured S3 Bucket to promote BHIM usage across India and sign up new merchant businesses, such as mechanics, farmers, service providers, and store owners onto the app. It’s difficult to say precisely, but the S3 bucket seemed to contain records from a short period: February 2019. However, even within such a short timeframe, over 7 million records had been uploaded and exposed," vpnMentor said.

The exposed user-data understood to be around 409 GB in size contain sensitive information including-- Scans of Aadhaar card with the number, name, gender, date of birth, Permanent Account Number (PAN), Unified Payment Interface (UPI) IDs, scanned copies of Caste and Religion certificates, user's picture along with residential details, professional degree certificates, screenshots of financial and banking apps as proof of fund transfers and scans of fingerprint impressions (Note: Our understanding is that some people probably in rural areas, who don’t know how to sign may have submitted thumb impression in one of KYC documents submitted to BHIM app's website).

The vulnerability in the CSC Bhim website and cloud storage server was first detected on 23 April and vpnMentor is said to have approached state-run Indian Computer Emergency Response Team (CERT-In) on April 28. The latter responded to complaints on the following day and is said to have rectified the security loopholes in the Bhim cloud storage system on May 22.

"The sheer volume of sensitive, private data exposed, along with UPI IDs, document scans, and more, makes this breach deeply concerning. The exposure of BHIM user data is akin to a hacker gaining access to the entire data infrastructure of a bank, along with millions of its users’ account information. Having such sensitive financial data in the public domain or the hands of criminal hackers would make it incredibly easy to trick, defraud, and steal from the people exposed. Our research also suggested that some of the exposed BHIM users were minors, who would be particularly vulnerable to fraudulent schemes,” Noam Rotem and Ran Locar, vpnMentor research team members said in a statement.

The vpnMentor has shared screen-shots of the exposed scanned copies of Aadhaar card, caste certificate, and even the Unified Payments Interface (UPI) ID numbers. The cybersecurity team members have urged the Indian government and the partner management company of Bhim website to make the S3 bucket private and add authentication protocols, follow AWS access and authentication best practices and add more layers of protection to their S3 bucket to further restrict who can access it from every point of entry. (You can find the full report of vpnMentor, here)

So far, there are no official reports of misuse of Bhim UPI app users' financial data as such, but consumers are warned not to share any OTP (One Time Password) nor respond to calls or emails from anybody seeking bank account number or any financial details.

Here's the official response from NPCI (National Payments Corporation of India):

“We have come across some news reports which suggest data breach at BHIM App. We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations. NPCI follows high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem”.

Here's How to safeguard your PC or mobile phone from adware and other malicious threats:
1) Whether you have an Android mobile or iOS-based iPhone or Windows-powered PCs or Mac computer, always stay updated with the latest software. All Google, Microsoft, and Apple send regularly send firmware — especially security patches monthly or on a priority basis, whenever they detect threats. So, make sure you install the latest software.
2) Another good practice is to install a premium Antivirus software, which offers 24x7 protection. They are equipped to detect threats quickly whenever you unknowingly visit a shady website
3) As said before never ever open emails or SMS and click URL links sent from unknown senders
4) Also, never install apps or software from unfamiliar publishers.
5) Always download apps from Google Play or Apple App Store or Windows Store only. Never install from any third-party app store.

Get the latest news on new launches, gadget reviews, apps, cyber security and more on personal technology only on DH Tech.

(Published 01 June 2020, 10:05 IST)

Follow us on