Personal records of more than 7 million users of mobile payments app BHIM were exposed in a website breach, according to a report by Israeli cybersecurity website vpnMentor. The National Payments Corporation of India, however, has refuted the claim.
The website was developed by CSC e-Governance Services in partnership with the Indian government and was being used in a campaign to sign up users and business merchants to the app of which some related data was being stored on a “misconfigured Amazon Web Services S3 bucket and was publicly accessible”. The S3 bucket contained records from February 2019, as per vpnMentor’s findings.
The 409-gigabyte data leak includes personal identifiable information such as Aadhaar card details, residence proof, bank records, along with a complete profile of individuals, the report said.
Denying any data breach on the BHIM app, NCPI said, “We have come across some news reports which suggest data breach at BHIM App. We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations. NPCI follows high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem,” it said.
ET has also e-mailed queries to CSC e-Governance Services India for a comment and is awaiting for a response.
As per vpnMentor, the bug was reported in April which was fixed by the end of last month. Noam Rotem and Ran Locar, cybersecurity researchers who discovered the data leak, said: “The sheer volume of sensitive, private data exposed, along with UPI IDs, document scans, and more, makes this breach deeply concerning. The exposure of BHIM user data is akin to a hacker gaining access to the entire data infrastructure of a bank, along with millions of its users’ account information.”
“The scale of the exposed data is extraordinary, affecting millions of people all over India and exposing them to potentially devastating fraud, theft, and attack from hackers and cyber criminals,” the cybersecurity firm said in a statement.
Update: The story has been updated to include NPCI’s response. It has also been modified to indicate that BHIM app didn’t suffer any data breach but rather personal records of BHIM users were exposed in a breach of a website developed by CSC e-Governance Services