BHIM data leak exposes 7 million Indians' data: Report

India's popular mobile payments app, BHIM or Bharat Interface Money, has suffered a major data breach that has exposed sensitive information required for signing up for the app, including financial details, photos, Aadhaar and PAN card details, of more than seven million users, a report by an online portal vpnMentor has revealed. "The scale of the exposed data is extraordinary, affecting millions of people all over India and exposing them to potentially devastating fraud, theft, and attack from hackers and cybercriminals," the research portal stated. 

According to vpnMentor, upon discovering the data breach in April, the team first approached the developers of CSC e-Governance Services, who is behind the website www.cscbhim.in. Not receiving a response, they mailed the Computer Emergency Response Team (CERT-In). CERT-In closed the breach after a second mail on May 22,  the report said. The 409-gigabyte data leak included personal identifiable information such as Aadhaar card details, caste certificates, residence proof, bank records, along with a complete profile of individuals. 

The vpnMentor team claims that the BHIM website was being used in a campaign to sign up users and business merchants to the app of which some related data was being stored on a "misconfigured Amazon Web Services S3 bucket and was publicly accessible". S3 buckets are a popular form of cloud storage across the world but require developers to set up the security protocols on their accounts.

The S3 bucket contained records from February 2019, as per the report. "However, even within such a short timeframe, over 7 million records had been uploaded and exposed... The S3 bucket also contained massive CSV lists of merchant businesses signed up to BHIM, along with the business owner’s UPI ID number," the portal stated. There were more than 1 million such entries. 

The vpnMentor research team discovered the misconfiguration in CSC’s S3 bucket as part of a huge web mapping project. "The UPI payment system is similar to a bank account in many ways. It would be incredibly valuable to hackers, giving them access to vast amounts of information about a person’s finances and bank accounts. This data would make illegally accessing those accounts much easier," the portal said explaining the gravity of the breach. "The exposure of BHIM user data is akin to a hacker gaining access to the entire data infrastructure of a bank, along with millions of its users’ account information."

The website warns that cybercriminals could combine the data in many ways and commit various crimes, including identity thefts and tax frauds. 

"The exposure of private data may also contribute to a broader deterioration of trust between the Indian public, government bodies, and technology companies. Data privacy is a huge concern for people from all sections of society, and many people could be reluctant to adopt a software tool linked to such a scandal," vpnMentor states. 

A central government-blessed project, BHIM was the main driver of India's cashless transactions. Launched in 2016 by nonprofit NPCI, the app clocked over 18.4 million transactions as of February 2020.