Data breach exposes 409-gigabytes of sensitive information of the users such as financial details, Aadhar card details, photos, bank records, PAN details, caste certificates, alongside a complete profile of the users, as reported.
One of the most used go-to apps for mobile payment, BHIM (Bharat Interface Money), has witnessed data breach which affects over 7 million people and the data is available on a public domain as per a cybersecurity firm from Israel, vpnMentor.
As researched by vpnMentor, they found out that the BHIM’s website was used in a campaign to sign up users and merchants to the app. Apparently, some of the data was being stored on a ”misconfigured Amazon Web Services S3 bucket and was publicly accessible”. The records that were exposed were holding data from February 2019 onwards.
Just to elaborate, S3 buckets are basically cloud storage but are needed to set up security protocols by a developer account.
“The scale of the exposed data is extraordinary, affecting millions of people all over India and exposing them to potentially devastating fraud, theft, and attack from hackers and cybercriminals,” vpnMentor stated.
The vpnMentor’s website also warns about how it is possible for cybercriminals to misuse in unimaginable ways with all of the sensitive data that is available publicly now, be it impersonating an identity or even tax frauds.
Noam Rotem and Ran Locar who are members of the cybersecurity firm vpnMentor added “The sheer volume of sensitive, private data exposed, along with UPI IDs, document scans, and more, makes this breach deeply concerning. The exposure of BHIM user data is akin to a hacker gaining access to the entire data infrastructure of a bank, along with millions of its users’ account information”.
The initial bug was reported back in the month of April which was secured by the end of May.
BHIM was brought to life in the year of 2016 by nonprofit NPCI with blessings of being central government project, an attempt to make India go cashless which also succeeded to do so with the app surpassing 18.4 million transactions as of February 2020.