#LeakAlert: Data of 7 million+ BHIM users exposed
Personal and financial data of more than 7 million users of BHIM, a government-backed peer-to-peer UPI payments app, has been leaked publicly. The data was exposed through an unprotected server, which was discovered and reported by researchers at vpnMentor to the Indian authorities. Now, it has been secured, the company said in a blog post. Here are all the details.
When BHIM was launched in 2016, a CSC website (http://cscbhim.in/) was created as part of a campaign to bring as many users and merchants as possible to the app. All the data collected through this campaign, estimated to be 409GB in size, was stored on an Amazon Web Services S3 bucket and left unprotected, open to be accessed/downloaded by anyone knowing where to look.
As spotted by vpnMentor in April, the unprotected bucket had 7.26 million user records, which included Aadhaar cards, caste certificates, address proofs, professional certificates, college degrees, and Permanent account numbers (PANs), and screenshots taken to show successful fund transfers. The information included in these documents could have easily been used by attackers to create a whole profile of individuals and target them with scams.
Initially, the vpnMentor team tried contacting CSC e-Governance Services, the developer of the CSC BHIM website and the owner of the S3 bucket, but did not receive a response. Then, multiple reports were sent to India's Computer Emergency Response Team (CERT-In), following which the unprotected AWS bucket was secured, and the data was no longer being exposed.
The National Payments Corporation of India (NCPI), which developed the BHIM app, says that the exposure does not relate to the app data. "There has been no data compromise at BHIM App. NPCI follows a high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem," it said in a statement quoted by Economic Times.
That being said, it must also be noted that as of now, it is not clear if anyone had accessed the unprotected Amazon bucket before it was plugged or not.