Indian Payments App BHIM Exposed to a Massive User Data Breach

Security researchers from vpnMentor discovered a massive data breach, which exposed records of more than 7 million users connected to India’s mobile payments app BHIM (Bharat Interface for Money) to the public by a website.

 

BHIM: The app was launched by the non-profit business consortium, the National Payments Corporation of India (NPCI), to increase cashless transactions in India.

 

The exposed data included sensitive information such as names, dates of birth, age, gender, home address, caste status and Aadhar card details, among others.

 

The scale of the exposed data is extraordinary, affecting millions of people all over India and exposing them to potentially devastating fraud, theft, and attack from hackers and cybercriminals.

 

The website (www.cscbhim.in.) was developed by a company called CSC e-Governance Services LTD. in partnership with the Indian government. The website is used to promote BHIM usage across India and to sign up new merchant businesses.

Its aim to deliver the Government of India e-governance services to rural and remote locations where availability of computers and the internet is in short supply.

 

How was CSC BHIM data breached?

 

The vpnMentor claims that the data collected for BHIM deployment was being stored on a misconfigured Amazon Web Services S3 bucket and was "publicly accessible." This has been found to be a fairly common error that many websites make when setting up their cloud systems.

As per vpnMentor, 409GB worth of sensitive data of individuals and several merchants were lying unsecured, therefore, exposing them to potential fraud, theft, and attack from hackers and cybercriminals.

Sensitive data of lakhs of Indians was stored in cloud storage without security protocols on the account to ensure safety.

According to researchers, the data was stored on an unsecured Amazon Web Services (AWS) S3 bucket. S3 buckets are a popular form of cloud storage across the world but require developers to set up the security protocols on their accounts.

 

The exposed S3 bucket was labelled 'csc-bhim,' and quickly able to identify the developers behind the website 'www.cscbhim.in' as the owners of the data. The leaky AWS S3 bucket was accessible on the internet without any authentication.

 

All data that compromised in the CSC BHIM breach

 

According to vpnMentor, the following personal documents that were found in the exposed S3 bucket:

  • Scans of Aadhaar cards – India's national ID
  • Scans of Caste certificates
  • Photos used as proof of residence
  • Professional certificates, degrees, and diplomas
  • Screenshots taken within financial and banking apps as proof of fund transfers
  • Permanent Account Number (PAN) cards (associated with Indian income tax services)

 

Apart from this, the leak also included UPI VPAs (transaction IDs) data of people.

 

Impact of the CSC BHIM data breach

 

The data breach exposes highly sensitive data. Based on research, the S3 bucket also contained documents and PII [Personally identifiable information] data for minors. Having such sensitive financial data in the public domain would make it incredibly easy to trick, defraud, and steal from the people exposed.

 

Recommendations

 

It is recommended to consider the following best practices:

 

  • Users of online payment apps must take precautions to secure their accounts by using recommended security measures such as strong, unique passwords, and two-factor authentication (2FA) methods.
  • Always safeguard your financial information and never share it with any unknown entities claiming to represent your bank or other financial institutions.
  • Users, whose data was leaked due to this e-governance site breach, must take necessary actions as their data could be abused by attackers to take over user accounts and perform fraudulent transactions.
  • Users are highly recommended to install application from authorised sites.