- The CSC BHIM data breach includes extremely sensitive information like Aadhaar details with complete scans of the Aadhaar cards, biometric details, addresses, date of birth and more.
- In total, over 7 million records of millions users were exposed.
- CERT-In, which was notified of the leak on May 5, had reportedly fixed it on May 22.
Over 7 million records of user transactions on the CSC BHIM website were left unsecured as per a report Israeli cybersecurity website vpnMentor. These records include Aadhaar card numbers, PAN numbers, and even biometric details in a data bundle of 409 GB.
According to the
report, the CSC BHIM data breach includes personal data such as Aadhaar details, addresses, bank records, caste certificate and a complete personal profile of the users.
The data breach has since been patched up but the data was out there for anyone who knew where to look for over a year. However, the National Payments Corporation of India denies that there has been any incident. “We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations. NPCI follows high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem,” it said.
Transform talent with learning that worksCapability development is critical for businesses who want to push the envelope of innovation.Discover how business leaders are strategizing around building talent capabilities and empowering employee transformation.Know More The cybersecurity researchers believe that the combination of data left exposed could give hackers the ability to carry out identity theft, tax fraud, monetary theft, among other illegal activities.
The research team led by Noam Rotem and Ran Locar describe the data breach as being akin to a hacker gaining access to the entire data infrastructure of a bank and detailed information about its users’ account information. “The sheer volume of sensitive, private data exposed, along with UPI IDs, document scans, and more, makes this breach deeply concerning,” said the report explaining the seriousness of the data breach.
They assert that using the above details of the personal data about an individual, from their names and dates of birth to biometric details and ID numbers, could give third-party onlookers a complete profile of an individual — including a look into their finances and banking records. “It would be incredibly valuable to hackers… This data would make illegally accessing those accounts much easier,” said the report.
With complete profiles of BHIM users being leaked, it leaves them extremely vulnerable to all sorts of frauds and theft. The risks for affected users can exceed just monetary loss – there is a high risk of identity theft, especially since almost all personal data has been exposed.
“The scale of the exposed data is extraordinary, affecting millions of people all over India and exposing them to potentially devastating fraud, theft, and attack from hackers and cybercriminals,” it added, suggesting that the breach is likely very invasive.
How and when was BHIM UPI’s data breached?
The cybersecurity researchers claim that 409 GB of data was stored on an unsecured Amazon Web Services (AWS) S3 bucket exposing records from February 2019. “S3 buckets are a popular form of cloud storage across the world but require developers to set up the security protocols on their accounts,” said the report.
The research team at vpnMentor discovered the BHIM data breach on April 23 and contacted India’s Computer Emergency Response Team (CERT-In) on May 5.
The data leak was finally fixed by the authorities on May 22, leaving the breach exposed for an entire month after it was discovered.
| Timeline of the data breach |
| Date discovered | April 23, 2020 |
| Contact with CERT-In | April 28, 2020 |
| Response from CERT-In | April 29, 2020 |
| Contact with company | May 5, 2020 |
| Second contact with CERT-In | May 22, 2020 |
| Data of rectification | May 22, 2020* |
Unfortunately, there’s not much you can do on your end right now. If you are unsure about your data safety, you can contact CSC e-Governance Services, which is a special division set up under the Ministry of Electronics & IT. The NPCI maintains that their systems are robust and no data breach occurred to begin with despite evidence posted by the vpnMentor's cybersecurity team.
SEE ALSO:
Indian government portal leaks 8.9mn Aadhaar details, again
Here are the most controversial data breaches of 2018 that affected Indian users
New data leak hits India's national ID card database Aadhaar: ZDNet
Next Story
US buys 81 Soviet-era combat aircraft from Russia's ally costing on average less than $20,000 each, report says
2 states where home prices are falling because there are too many houses and not enough buyers
A couple accidentally shipped their cat in an Amazon return package. It arrived safely 6 days later, hundreds of miles away.
Markets rebound in early trade amid global rally, buying in ICICI Bank and Reliance
Women in Leadership
Rupee declines 5 paise to 83.43 against US dollar in early trade
Election Commission issues notification for sixth phase of Lok Sabha polls
6 Coffee recipes you should try this summer
