NPCI denies security lapses in Bhim website, but cyber researchers stand by report

The National Payments Corporation of India (NPCI), the creators of the digital wallet Bhim app, on Tuesday (June 2) denied any exposure of user data.

On Sunday (May 31), an Israel-based security firm vpnMentor revealed that the CSC Bhim app website data was stored in a misconfigured cloud storage server -- an Amazon Web Services S3 bucket -- that could have left the personal and financial details of users of the popular digital wallet vulnerable to cybercriminals.

The security lapse was apparently noticed by vpnMentor on April 23, 2020, and the latter brought it to the notice of the Indian Computer Emergency Response Team (CERT-In) on April 28. The issue was reportedly fixed on May 22. It said that the Bhim app website was maintained by CSC E-Governance Ltd and partly by the Indian government.

As per vpnMentor, the exposed data included Aadhaar numbers, names, genders, dates of birth, Permanent Account Numbers, Unified Payment Interface IDs, scanned copies of caste and religion certificates, user pictures along with residential details, professional degree certificates, screenshots of financial and banking apps as proof of fund transfers and scans of fingerprint impressions.

Taking cognisance of the news reports, the NPCI conducted an independent verification through a leading Digital Risk Monitoring firm and concluded that there was not even a single instance of a data breach on the website.

"CSC e-Governance Services India Ltd is working on a project named Promotion of Digital Payments Enablement of Merchants since 2018," said Dr Dinesh Tyagi, CEO, CSC eGovernance Services India Ltd. "The project did not involve taking Aadhaar data of any merchant, therefore there is no question of personal identifiable information such as Aadhaar data to be made public. Data points like Merchant Virtual Payment Address (VPA) were kept public for larger transparency of the system. The project portal and data have been hosted on Indian servers located within the country."

"We submit that data points like VPA were kept public for larger transparency of the system since it was a government project and there was a need to record/verify the inward transactions on VPAs," Tyagi said. "It is further clarified that no Aadhaar data was asked in the project nor was Aadhaar captured, and therefore the question of exposing Aadhaar data does not arise."

However, vpnMentor is standing its ground on the veracity of its findings. It should be noted that the CSC Bhim website is now defunct after the report made headline in the media on Monday and the page reads, "cscbhim.in’s server IP address could not be found."

Here's vpnMentor's response to the NPCI:
“The attempts by various parties in India to deny our findings are sad. The fact remains that PII data of millions of Indian citizens were left unprotected on a public bucket named after CSC BHIM, and instead of looking into the faults that lead to this breach and make sure they won't happen again, we are faced with ridiculous claims it never happened."

"The fact remains that very private and personal data of millions of Indian citizens were left exposed to anyone with a web browser. The full report, detailing data leak details and samples of images leaked online has been published at https://www.vpnmentor.com/blog/report-csc-bhim-leak/. We managed to confirm CSC BHIM as the owner of the bucket in our research. The csc-bhim site mentions NPCI and Punjab national bank as their partners. The site features photos from BHIM drives in various parts of India, under the BHIM logo. The site itself bears the BHIM logo, as well as that of the Indian Ministry of Electronics and Information”.

Get the latest news on new launches, gadget reviews, apps, cyber security and more on personal technology only on DH Tech.