Mumbai: The National Payments Corporation of India, India's payment processor on Monday evening quashed reports claiming a data breach.
A report released by VpnMentor on Sunday reported of a data breach on a website floated to onboard merchants on to NPCI's BHIM app. The breach may have left data records of at 72.30 lakh users public.
The website (cscbhim.in) was floated by CSC e-Governance services, a system implementation agency that partnered with several eco-system players to develop the BHIM app.
Reports say screenshots uploaded on the website included key data-points such as Aadhar card, PAN Card, Caste Certificates, proof of residence and income, professional certificates, and even banking data such as biometrics, fund transfer details and bank account data etc which may have been made public during the course of the breach.
The Israeli security monitoring firm VpnMentor reported that the major breach was detected first sometime in April and was subsequently conveyed to the CSC e-Governance team. The team plugged the loophole as early as May 22. Researchers say that they had to contact India's Computer Emergency Response Team (CERT-In) twice in a month's time to get the loophole fixed.
"The scale of the exposed data is extraordinary, affecting millions of people all over India and exposing them to potentially devastating fraud, theft, and attack from hackers and cybercriminals," the security researchers from vpnMentor wrote in a blog post on Sunday.
A team of Noam Rotem and Ran Locar of vpnMonitor said that the screenshots containing merchant-data and other information may have been inadvertently stored on a misconfigured Amazon Web Services platform. This AWS platform remained publicly accessible and may have lead to a major breach. According to the analysts, data as early as February 2019 may have been made publicly visible. The volume of exposed data which was first discovered by the security researchers as on April 23 amounted to 409GB.
"In this case, the data was stored on an unsecured Amazon Web Services (AWS) S3 bucket," the researchers said, adding that S3 buckets are a popular form of Cloud storage across the world but require developers to set up security protocols on their accounts.
"We reached out to the website's developers to notify them of the misconfiguration in their S3 bucket and to offer our assistance. After not receiving a reply, we contacted India's Computer Emergency Response Team (CERT-In), which deals with cybersecurity in the country," a report from the analysts added.
"The exposure of BHIM user data is akin to a hacker gaining access to the entire data infrastructure of a bank, along with millions of its users' account information," the report added.
The NPCI has said that the BHIM app was safe for general customers to use. An NPCI clarification reads, "We have come across some news reports which suggest data breach at BHIM App. We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations. NPCI follows high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem."