CSC BHIM site left Aadhaar cards, PAN numbers, and biometric information exposed — could be used to carry out financial fraud and identity theft, says report

CSC BHIM data breach includes personal data such as Aadhaar details, addresses, bank records, caste certificate and a complete personal profile of the usersBI India
  • The CSC BHIM data breach includes extremely sensitive information like Aadhaar details with complete scans of the Aadhaar cards, biometric details, addresses, date of birth and more.
  • In total, over 7 million records of millions users were exposed.
  • CERT-In, which was notified of the leak on May 5, had reportedly fixed it on May 22.
Over 7 million records of user transactions on the CSC BHIM website were left unsecured as per a report Israeli cybersecurity website vpnMentor. These records include Aadhaar card numbers, PAN numbers, and even biometric details in a data bundle of 409 GB.

According to the report, the CSC BHIM data breach includes personal data such as Aadhaar details, addresses, bank records, caste certificate and a complete personal profile of the users.

The data breach has since been patched up but the data was out there for anyone who knew where to look for over a year. However, the National Payments Corporation of India denies that there has been any incident. “We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations. NPCI follows high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem,” it said.

How bad is the BHIM data breach?
The cybersecurity researchers believe that the combination of data left exposed could give hackers the ability to carry out identity theft, tax fraud, monetary theft, among other illegal activities.

The research team led by Noam Rotem and Ran Locar describe the data breach as being akin to a hacker gaining access to the entire data infrastructure of a bank and detailed information about its users’ account information. “The sheer volume of sensitive, private data exposed, along with UPI IDs, document scans, and more, makes this breach deeply concerning,” said the report explaining the seriousness of the data breach.


They assert that using the above details of the personal data about an individual, from their names and dates of birth to biometric details and ID numbers, could give third-party onlookers a complete profile of an individual — including a look into their finances and banking records. “It would be incredibly valuable to hackers… This data would make illegally accessing those accounts much easier,” said the report.

With complete profiles of BHIM users being leaked, it leaves them extremely vulnerable to all sorts of frauds and theft. The risks for affected users can exceed just monetary loss – there is a high risk of identity theft, especially since almost all personal data has been exposed.

“The scale of the exposed data is extraordinary, affecting millions of people all over India and exposing them to potentially devastating fraud, theft, and attack from hackers and cybercriminals,” it added, suggesting that the breach is likely very invasive.


How and when was BHIM UPI’s data breached?
The cybersecurity researchers claim that 409 GB of data was stored on an unsecured Amazon Web Services (AWS) S3 bucket exposing records from February 2019. “S3 buckets are a popular form of cloud storage across the world but require developers to set up the security protocols on their accounts,” said the report.

The research team at vpnMentor discovered the BHIM data breach on April 23 and contacted India’s Computer Emergency Response Team (CERT-In) on May 5.

The data leak was finally fixed by the authorities on May 22, leaving the breach exposed for an entire month after it was discovered.


Timeline of the data breach
Date discoveredApril 23, 2020
Contact with CERT-InApril 28, 2020
Response from CERT-InApril 29, 2020
Contact with companyMay 5, 2020
Second contact with CERT-InMay 22, 2020
Data of rectificationMay 22, 2020*

*Assumed day of rectification after no reply from CERT-In
Source: VPNMentor

What can you do?
Unfortunately, there’s not much you can do on your end right now. If you are unsure about your data safety, you can contact CSC e-Governance Services, which is a special division set up under the Ministry of Electronics & IT. The NPCI maintains that their systems are robust and no data breach occurred to begin with despite evidence posted by the vpnMentor's cybersecurity team.



Indian government portal leaks 8.9mn Aadhaar details, again

Here are the most controversial data breaches of 2018 that affected Indian users

New data leak hits India's national ID card database Aadhaar: ZDNet