Security researchers from vpnMentor discovered a massive data breach (estimated 7.26 million), which exposed records connected to India’s mobile payments app BHIM (Bharat Interface for Money). The website in question (www.cscbhim.in.) was developed by developed by a company called CSC e-Governance Services LTD. in partnership with the Indian government.
In vpnMentor’s investigation report, the researchers stated that the website is used to promote BHIM usage across India and to sign up new merchant businesses. BHIM app was launched by the non-profit business consortium, the National Payments Corporation of India (NPCI), to increase cashless transactions in India.
The data was exposed through a misconfigured Amazon Web Services (AWS) S3 storage bucket containing 409 GB of data. The website leaked sensitive profile and financial data, including names, dates of birth, age, gender, home address, caste status, Aadhaar card details, biometric details, profile photos, fingerprint scans, photos used as proof of residence, professional certificates, PAN numbers, ID numbers for government programs and social security services.
“The scale of the exposed data is extraordinary, affecting millions of people all over India and exposing them to potentially devastating fraud, theft, and attack from hackers and cybercriminals,” the researchers said.
NPCI Denies Data Leak
In a statement, the NPCI clarified that there was no data breach through the BHIM app. “We have come across some news reports which suggest data breach at BHIM App. We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations. NPCI follows high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem,” the NPCI said.
Security Incidents on Indian Firms
Recently, India-based online learning platform Unacademy suffered a data breach that exposed details of 22 million users. It was also found that the unknown hackers kept 21,909,707 user records for sale at $2,000 on darknet forums. The compromised information included usernames, hashed passwords, date of joining, last login date, account status, email addresses, first and last names, and other account profile details. Hemesh Singh, Co-founder and CTO of Unacademy, confirmed the data breach and stated that only 11 million users were affected and no sensitive information like financial data, location or passwords were exposed.