NEW DELHI: Financial and personal data of millions of BHIM or Bharat Interface for Money users were found exposed on a misconfigured Amazon Web Services S3 bucket by online security firm vpnMentor in April.
The issue was reported to CERT-In on 28 April. The breach was closed on May 22.
S3 buckets are a popular form of cloud storage but require developers to set up security protocols on their accounts. A publicly viewable S3 bucket is not a flaw in AWS. It is the result of an oversight by the owner of the bucket.
The vpnMentor team found an exposed S3 bucket labeled csc-bhim carrying records from February 2019 onwards. About 7.26 million records with total file size of 409GB were uploaded during this time.
The exposed data was linked to a website that was being used for a campaign to get new users and merchants to sign up for the app.
According to vpnMentor, the exposed data included scans of Aadhaar cards, scans of caste certificates, photos used as proof of residence, professional certificates and degrees, screenshots taken within financial and banking apps as proof of fund transfers along with Permanent Account Number (PAN) card details.
All these documents and scans carried personal information about users, including their names, dates of birth, photos and biometric details such as fingerprint scans.
The S3 bucket also carried documents and PII data for minors and CSV lists of merchants signed up on BHIM, along with other businesses with a UPI ID.
The researchers believe the volume of sensitive data that has been exposed due to this oversight by developers of BHIM app is deeply concerning and feel it is equivalent to attackers gaining access to the entire data infrastructure, including millions of private user data stored by the bank.
If that data falls into the hands of cybercriminals, it can have a catastrophic impact on the lives of users involved. It can lead to theft, tax fraud and unauthorised withdrawal of money from bank accounts via UPI, researchers stated.
The misconfiguration in CSC’s S3 bucket was discovered by vpnMentor during a web mapping project for which their researchers use port scanning to examine particular IP blocks and test different systems for weaknesses or vulnerabilities. They stumbled upon the exposed S3 bucket because it was left unsecured and unencrypted.
Developed by National Payments Corporation of India (NPCI), BHIM was launched in December 2016 and has been reportedly downloaded 136 million times until 2020.