CSC BHIM site left Aadhaar cards, PAN numbers, and biometric information exposed — could be used to carry out financial fraud and identity theft, says report
- The CSC BHIM data breach includes extremely sensitive information like Aadhaar details with complete scans of the Aadhaar cards, biometric details, addresses, date of birth and more.
- In total, over 7 million records of millions users were exposed.
- CERT-In, which was notified of the leak on May 5, had reportedly fixed it on May 22.
According to the report, the CSC BHIM data breach includes personal data such as Aadhaar details, addresses, bank records, caste certificate and a complete personal profile of the users.
The data breach has since been patched up but the data was out there for anyone who knew where to look for over a year. However, the National Payments Corporation of India denies that there has been any incident. “We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations. NPCI follows high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem,” it said.
How bad is the BHIM data breach?
The cybersecurity researchers believe that the combination of data left exposed could give hackers the ability to carry out identity theft, tax fraud, monetary theft, among other illegal activities.
The research team led by Noam Rotem and Ran Locar describe the data breach as being akin to a hacker gaining access to the entire data infrastructure of a bank and detailed information about its users’ account information. “The sheer volume of sensitive, private data exposed, along with UPI IDs, document scans, and more, makes this breach deeply concerning,” said the report explaining the seriousness of the data breach.
They assert that using the above details of the personal data about an individual, from their names and dates of birth to biometric details and ID numbers, could give third-party onlookers a complete profile of an individual — including a look into their finances and banking records. “It would be incredibly valuable to hackers… This data would make illegally accessing those accounts much easier,” said the report.
With complete profiles of BHIM users being leaked, it leaves them extremely vulnerable to all sorts of frauds and theft. The risks for affected users can exceed just monetary loss – there is a high risk of identity theft, especially since almost all personal data has been exposed.
“The scale of the exposed data is extraordinary, affecting millions of people all over India and exposing them to potentially devastating fraud, theft, and attack from hackers and cybercriminals,” it added, suggesting that the breach is likely very invasive.
How and when was BHIM UPI’s data breached?
The cybersecurity researchers claim that 409 GB of data was stored on an unsecured Amazon Web Services (AWS) S3 bucket exposing records from February 2019. “S3 buckets are a popular form of cloud storage across the world but require developers to set up the security protocols on their accounts,” said the report.
The research team at vpnMentor discovered the BHIM data breach on April 23 and contacted India’s Computer Emergency Response Team (CERT-In) on May 5.
The data leak was finally fixed by the authorities on May 22, leaving the breach exposed for an entire month after it was discovered.
|Timeline of the data breach|
|Date discovered||April 23, 2020|
|Contact with CERT-In||April 28, 2020|
|Response from CERT-In||April 29, 2020|
|Contact with company||May 5, 2020|
|Second contact with CERT-In||May 22, 2020|
|Data of rectification||May 22, 2020*|
*Assumed day of rectification after no reply from CERT-In
What can you do?
Unfortunately, there’s not much you can do on your end right now. If you are unsure about your data safety, you can contact CSC e-Governance Services, which is a special division set up under the Ministry of Electronics & IT. The NPCI maintains that their systems are robust and no data breach occurred to begin with despite evidence posted by the vpnMentor's cybersecurity team.
Indian government portal leaks 8.9mn Aadhaar details, again
Here are the most controversial data breaches of 2018 that affected Indian users
New data leak hits India's national ID card database Aadhaar: ZDNet
- West Bengal records biggest single-day jump of 1,344 COVID-19 cases
- Amitabh Bachchan and son Abhishek test positive for COVID-19, hospitalised
- Tripura registers second COVID-19 death
- COVID-19: Noida records 2 more deaths, adds 89 cases
- 1,781 fresh COVID-19 cases take Delhi tally to 1,10,921; death toll mounts to 3,334