Over 7 million "incredibly sensitive financial data" records belonging to millions of Indian citizens were exposed when data related to India’s mobile payments app BHIM was stored on a misconfigured Amazon Web Services S3 bucket that was publicly accessible.
The massive exposure of financial data records of Indian citizens was discovered by security researchers Noam Rotem and Ran Locar at vpnMentor who found that the exposed data was related to a new campaign launched by the Indian government to encourage millions of people and business merchants to sign up to the mobile payments app.
The data exposure rendered millions of people across India vulnerable to potentially devastating fraud, theft, and attack from hackers and cybercriminals, the researchers warned. The misconfigured AWS S3 bucket was unearthed when the researchers were carrying out a huge web mapping project to examine IP blocks and test various systems for weaknesses or vulnerabilities.
The misconfigured AWS bucket was labeled “csc-bhim” and contained a little over 400GB of financial data records belonging to citizens and business merchants. These 7.26 million exposed records included scans of Aadhar cards, scans of caste certificates, professional certificates, degrees, and diplomas, screenshots taken within financial and banking apps as proof of fund transfers, permanent Account Number (PAN) cards, and photos used as proof of residence.
The data records also included names, dates of birth, age, gender, home addresses, religion, caste status, biometric details, ID photos, fingerprint scans, and government ID card numbers of millions of citizens, along with massive CSV lists of merchant businesses signed up to BHIM, along with the business owner’s UPI ID number.
"The sheer volume of sensitive, private data exposed, along with UPI IDs, document scans, and more, makes this breach deeply concerning. The exposure of BHIM user data is akin to a hacker gaining access to the entire data infrastructure of a bank, along with millions of its users’ account information. Having such sensitive financial data in the public domain or the hands of criminal hackers would make it incredibly easy to trick, defraud, and steal from the people exposed," vpnMentor said.
"The exposure of private data may also contribute to a broader deterioration of trust between the Indian public, government bodies, and technology companies. Data privacy is a huge concern for people from all sections of society, and many people could be reluctant to adopt a software tool linked to such a scandal.
"As the Indian government is actively involved in the adoption of UPI apps like BHIM across the country, they risk harmful exposure by association and further discontent from the populace," the firm added.
The unsecured AWS database was first discovered by the security researchers on 23rd April this year. On 28th April, they contacted CERT-In, India's nodal agency for responding to computer security incidents, to report the exposure after failing to receive a response from the developers of the website “www.cscbhim.in” that owned the massive data set.
Public access to the unsecured database was finally closed on 22nd May after the researchers reached out to CERT-In again after observing that the database was still publicly accessible.
"It appears CSC established the website connected to the misconfigured S3 Bucket to promote BHIM usage across India and sign up new merchant businesses, such as mechanics, farmers, service providers, and store owners onto the app. It’s difficult to say precisely, but the S3 bucket seemed to contain records from a short period: February 2019. However, even within such a short timeframe, over 7 million records had been uploaded and exposed," vpnMentor added.