On Sunday, May 31, 2020, a few security researchers reported a major data breach related to a government website in India.
Security researchers Noam Rotem and Ran Locar from vpnMentor published a report detailing a breach of approximately 7.26 million records related to India’s e-Governance website.
The researchers stated that the data was exposed through a misconfigured Amazon Web Services (AWS) S3 storage bucket containing 409 GB of data, including sensitive profile information and financial data related to the BHIM app users.
Although the data breach has been associated with the widely used BHIM app, the app itself did not suffer any data breach.
The breach occurred at one of the e-governance websites (https://cscbhim.in) developed for the Common Service Centres (CSC) program which aims to deliver the Government of India e-governance services to rural and remote locations where availability of computers and the internet is scarce. The data related to BHIM app users was stored on an exposed S3 bucket hosted by the CSC website that suffered the leak.
In response to the incident, NPCI, the maker of the BHIM app, has released a press statement saying, “We have come across some news reports which suggest data breach at BHIM App. We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations. NPCI follows a high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem.”
What data was affected?
The leaky AWS S3 bucket was accessible on the internet without any authentication. It included the users’ Aadhar card scans, caste certificates, PAN numbers, and other PII data of applicants, as well as the UPI ID of the users.
The data stored in the storage bucket dated back to February 2019.
Since the BHIM app didn’t suffer any breach, the users can continue using it while following all security best practices.
Users, whose data was leaked due to this e-governance site breach, must take necessary actions as their data could be abused by attackers to take over user accounts and perform fraudulent transactions.
Users of online payment apps must take precautions to secure their accounts by using recommended security measures such as strong, unique passwords, and two-factor authentication (2FA) methods.
Also, it is recommended to always safeguard your financial information and never share it with any unknown entities claiming to represent your bank or other financial institutions.