#LeakAlert: Data of 7 million+ BHIM users exposed

When BHIM was launched in 2016, a CSC website (http://cscbhim.in/) was created as part of a campaign to bring as many users and merchants as possible to the app.

All the data collected through this campaign, estimated to be 409GB in size, was stored on an Amazon Web Services S3 bucket and left unprotected, open to be accessed/downloaded by anyone knowing where to look.

As spotted by vpnMentor in April, the unprotected bucket had 7.26 million user records, which included Aadhaar cards, caste certificates, address proofs, professional certificates, college degrees, and Permanent account numbers (PANs), and screenshots taken to show successful fund transfers.

The information included in these documents could have easily been used by attackers to create a whole profile of individuals and target them with scams.

Initially, the vpnMentor team tried contacting CSC e-Governance Services, the developer of the CSC BHIM website and the owner of the S3 bucket, but did not receive a response.

Then, multiple reports were sent to India's Computer Emergency Response Team (CERT-In), following which the unprotected AWS bucket was secured, and the data was no longer being exposed.

The National Payments Corporation of India (NCPI), which developed the BHIM app, says that the exposure does not relate to the app data.

"There has been no data compromise at BHIM App. NPCI follows a high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem," it said in a statement quoted by Economic Times.