Private Details of 73 Lakh Indians Exposed in BHIM Data Leak, NPCI Issues Denial

An independent cyber security research firm has disclosed that almost 73 lakh Indians were left opened to the possibility of data-based fraud, due to lax security standards maintained in the official UPI app, BHIM. According to the researchers at vpnMentor, CSC e-Governance Services, which is the private firm that was contracted to develop and maintain user data associated with the BHIM app, left one of its Amazon Web Services S3 cloud data storage bucket uncsecured, and hence open to the public. The data storage misconfiguration was for a period between February 2019 and May 2020, when it was patched. However, with a total of about 73 lakh users exposed for over a year, it isn’t clear as to how big an impact did the security lapse actually have.

According to vpnMentor, the kind of data that was accessible through the AWS S3 bucket include Aadhaar cards, “caste certificates”, residential address proofs, educational degrees, banking and financial transcripts, and PAN details. As a result, for all the 73 lakh users exposed in this situation, all information including residential address and biometric authentication info were revealed online. vpnMentor has also offered some examples of identification documents as proof of their findings.

However, an Economic Times report on the matter states that the National Payments Council of India (NPCI) has categorically denied any data breach of UPI users. The statement says, “We have come across some news reports which suggest data breach at BHIM App. We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations. NPCI follows high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem.”

vpnMentor has revealed that the unsecured data bucket was 409GB in size, and was discovered by the agency on April 23. Following the discovery, the firm reported the data breach to the Indian Computer Emergency Response Team (CERT-In) on April 28, and received an initial response on April 29. It also attempted to directly contact CSC e-Gov on May 5, but says that no response was received from the company’s end. It then contacted CERT-In again on May 22, and the unsecured bucket was finally patched soon after.

While the vulnerable data bucket no longer remains in public domain, given that it was open for anyone for over one year, it will remain unclear as to whether any malicious user may have gotten their hands on such data. Despite the NPCI’s denial of the incident, any such lapse in security standard will raise alarm regarding the cyber security status of government-backed digital initiatives.