Millions of personal and financial records meant to be on-boarded on BHIM or Bharat Interface for Money by CSC e-governance services India Ltd were found exposed on a misconfigured Amazon Web Services (AWS) S3 bucket by Israel based online security research firm vpnMentor in April. No data was exposed through the BHIM app. It was allegedly exposed through a CSC website, though the company has disputed that. No data was compromised in any case.
vpnMentor claims the issue was reported to CERT-In on April 28 and the lapse was addressed on May 22.
“The developers of the CSC BHIM website could have easily avoided exposing user data if they had taken some basic security measures to protect it,” the researchers at vpnMentor added.
CSC e-Governance Services India Limited has refuted the allegations.
“The claim is incorrect because we never captured Aadhaar data in the entire process,” Dinesh Tyagi, CEO of CSC e-Governance Services India told Mint.
National Payments Corporation of India (NPCI), the original custodian of BHIM app, reiterated that no data was compromised at BHIM app’s end. In a statement to Mint, NPCI said, “We have come across some news reports which suggest data breach at BHIM App. We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations. NPCI follows high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem”.
CSC e-Governance Services India Limited is a special purpose vehicle set up by the Ministry of Electronics & IT (MEITY). The CSC website in question was set up to promote use of BHIM and get more users and merchants to sign up for it.
The S3 bucket is a form of cloud storage by AWS which requires developers to set up the security protocols on their accounts. A publicly viewable S3 bucket is not a flaw in AWS. It is the result of an oversight by the owner of the bucket.
Researchers at vpnMentor’s found that the exposed S3 bucket was labelled csc-bhim and carried records from February 2019 onwards. About 7.26 million records with total file size of 409GB were uploaded during this time.
The misconfiguration in CSC’s S3 bucket was discovered by vpnMentor during a web mapping project for which their researchers use port scanning to examine particular IP blocks and test different systems for weaknesses or vulnerabilities. They stumbled upon the exposed S3 bucket because it was left unencrypted.
Further, they found that the exposed data included scans of Aadhaar cards, scans of caste certificates, photos used as proof of residence, professional certificates and degrees, screenshots taken within financial and banking apps as proof of fund transfers along with Permanent Account Number (PAN) card details.
All these documents and scans carried personal information about users including their names, dates of birth, photos and biometric details such as fingerprint scans.
“Having such sensitive financial data in the public domain or the hands of criminal hackers would make it incredibly easy to trick, defraud, and steal from the people exposed,” said Noam Rotem, lead security researcher.
It could lead to identify theft, tax fraud and unauthorised withdrawal of money from bank accounts.