A group of ethical hackers on Monday claimed to have discovered a vulnerability affecting millions of BHIM app users, a claim which was denied by NPCI that operates the small value payments application. Vpnmentor, which claimed to be the largest virtual private networks review website offering a research lab that helps the online community defend itself against cyber threats, alleged that there has been a “data leak” discovered with respect to that of the users of the payments app.
The group also said that an Indian government website focused on pushing adoption of BHIM has exposed data of millions of users to potential fraud.
The National Payments Corporation of India (NPCI) said there has been no data compromise at the BHIM App, which has over 136 million downloads.
“The developers of the CSC/BHIM website could have easily avoided exposing user data if they had taken some basic security measures to protect the data,” Vpnmentor said in a statement.
The Ministry of Electronics and Information Technology has an initiative called CSC (Common Services Centre)-BHIM, which has a portal used by field agents as part of a campaign to push the adoption of the BHIM app, by merchants and also the general public.
According to Vpnmentor, data from this campaign was being stored on a “misconfigured Amazon Web Services S3 bucket” and was publicly accessible, making it vulnerable to misuse for executing frauds, thefts and attack from hackers and cyber criminals.
It also termed the scale of the exposed data as “extraordinary”, and pegged the number of users exposed in “millions”, adding that the 409 GB of data suspected to be breached has over 70 lakh records.
“We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations. NPCI follows high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem,” the NPCI said in a statement.
The app was launched in 2016. The breach was discovered on April 23 and the Indian Computer Emergency Response Team was contacted on April 28. The CERT-IN responded the very next day and May 22 has been noted as the date of action in Vpnmentor’s report.
Over 70 lakh users’ data uploaded in February was exposed, the report said, adding the records which were exposed online included scans of Aadhaar cards, caste certificates, residence proofs, professional certificates and degrees, screenshots of fund transfers and PAN cards.
The private personal user data within these documents gave a complete profile of individuals, their finances, and banking records, it noted. In the statement issued by Vpnmentor, its cyber security researchers Noam Rotem and Ran Locar said the sheer volume of sensitive, private data exposed, along with UPI IDs, document scans, and more, makes this breach deeply concerning.
“The exposure of BHIM user data is akin to a hacker gaining access to the entire data infrastructure of a bank, along with millions of its users’ account information,” they said in the statement.