Popular Unified Payment Interface (UPI)-based digital wallet app Bhim suffered a data breach exposing more than seven million Indians’ financial and personal details.
Apparently, the user data of the Bhim app, developed by NPCI (National Payments Corporation of India) was stored in a misconfigured cloud storage server — Amazon Web Services S3 bucket. There was no proper security protocol in place to prevent hackers from breaching the server, reported vpnMentor, an Israel-based cybersecurity firm.
The company responsible for the development of the official Bhim website and the sensitive data is understood to be the CSC e-Governance Services LTD and also partly managed by the Indian government as well.
“It appears CSC established the website connected to the misconfigured S3 Bucket to promote BHIM usage across India and sign up new merchant businesses, such as mechanics, farmers, service providers, and store owners onto the app. It’s difficult to say precisely, but the S3 bucket seemed to contain records from a short period: February 2019. However, even within such a short timeframe, over 7 million records had been uploaded and exposed,” vpnMentor said.
The leaked user-data included– Scans of Aadhaar card with the number, name, gender, date of birth, Permanent Account Number (PAN), scanned copies of Caste and Religion certificates, user’s picture along with residential details, professional degree certificates, screenshots of financial and banking apps as proof of fund transfers and scans of fingerprint impressions (Note: Our understanding is that some people probably in rural areas, who don’t know how to sign may have submitted thumb impression in one of KYC documents submitted to BHIM app.).
The vulnerability in the Bhim website and cloud storage server was first detected on 23 April and vpnMentor is said to have approached state-run Indian Computer Emergency Response Team (CERT-In) on April 28. The latter responded to complaints on the following day and is said to have rectified the security loopholes in the Bhim cloud storage system on May 22.
So far, there are no official reports of misuse of Bhim UPI app users’ financial data as such, but consumers are warned not to share any OTP (One Time Password) nor respond to calls or emails from anybody seeking bank account number or any financial details.
Here’s the official response from NPCI:
“We have come across some news reports which suggest data breach at BHIM App. We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations. NPCI follows high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem”.
Here’s How to safeguard your PC or mobile phone from adware and other malicious threats:
1) Whether you have an Android mobile or iOS-based iPhone or Windows-powered PCs or Mac computer, always stay updated with the latest software. All Google, Microsoft, and Apple send regularly send firmware — especially security patches monthly or on a priority basis, whenever they detect threats. So, make sure you install the latest software.
2) Another good practice is to install a premium Antivirus software, which offers 24×7 protection. They are equipped to detect threats quickly whenever you unknowingly visit a shady website
3) As said before never ever open emails or SMS and click URL links sent from unknown senders
4) Also, never install apps or software from unfamiliar publishers.
5) Always download apps from Google Play or Apple App Store or Windows Store only. Never install from any third-party app store.
Get the latest news on new launches, gadget reviews, apps, cyber security and more on personal technology only on DH Tech.