Data of more than 7 million users of mobile payments app, BHIM or Bharat Interface Money, were exposed in a website breach revealing sensitive personal information, a report by an online portal vpnMentor has revealed. The exposed data include information required for signing up for the app such as financial details, photos, Aadhaar and PAN card details of more than seven million users. "The scale of the exposed data is extraordinary, affecting millions of people all over India and exposing them to potentially devastating fraud, theft, and attack from hackers and cybercriminals," the research portal stated. However, NPCI has denied the claim.
According to vpnMentor, upon discovering the data breach in April, the team first approached the developers of CSC e-Governance Services, who is behind the website www.cscbhim.in. Not receiving a response, they mailed the Computer Emergency Response Team (CERT-In). CERT-In closed the breach after a second mail on May 22, the report said. The 409-gigabyte data leak included personal identifiable information such as Aadhaar card details, caste certificates, residence proof, bank records, along with a complete profile of individuals.
However, refuting the claims by vpnMentor, NPCI stated: “We have come across some news reports which suggest data breach at BHIM App. We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations. NPCI follows high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem."
The vpnMentor team claims that the BHIM website was being used in a campaign to sign up users and business merchants to the app of which some related data was being stored on a "misconfigured Amazon Web Services S3 bucket and was publicly accessible". S3 buckets are a popular form of cloud storage across the world but require developers to set up the security protocols on their accounts.
The S3 bucket contained records from February 2019, as per the report. "However, even within such a short timeframe, over 7 million records had been uploaded and exposed... The S3 bucket also contained massive CSV lists of merchant businesses signed up to BHIM, along with the business owner’s UPI ID number," the portal stated. There were more than 1 million such entries.
The vpnMentor research team discovered the misconfiguration in CSC’s S3 bucket as part of a huge web mapping project. "The UPI payment system is similar to a bank account in many ways. It would be incredibly valuable to hackers, giving them access to vast amounts of information about a person’s finances and bank accounts. This data would make illegally accessing those accounts much easier," the portal said explaining the gravity of the breach. "The exposure of BHIM user data is akin to a hacker gaining access to the entire data infrastructure of a bank, along with millions of its users’ account information."
The website warns that cybercriminals could combine the data in many ways and commit various crimes, including identity thefts and tax frauds.
"The exposure of private data may also contribute to a broader deterioration of trust between the Indian public, government bodies, and technology companies. Data privacy is a huge concern for people from all sections of society, and many people could be reluctant to adopt a software tool linked to such a scandal," vpnMentor states.
A central government-blessed project, BHIM was a key driver of India's cashless transactions. Launched in 2016 by nonprofit NPCI, the app clocked over 18.4 million transactions as of February 2020.