The rate at which users’ data are exposed is a cause for alarm. India’s BHIM has had a breach in their database where millions of transactions take place. BHIM is an app based on the Unified Payments Interface (UPI) platform by the National Payments Corporation of India. The UPI is also used by other services like Paytm, Google Pay, PhonePe, and WhatsApp payments, to expedite financial transactions. This breach exposed personal data of 7million Indians.
According to the app’s official account, the divulged data poses a significant threat as an average of 1 billion transactions were made over the last three months.
With over a billion monthly transactions, UPI has been surging as the preferred mode of payment throughout the country. Use BHIM UPI and transform the way you transact. #DigitalIndia #InstantPayments #NPCI #BHIMUPI #PaySafe #StaySafe @dilipasbe pic.twitter.com/tZZLqC0VI8
— BHIM (@NPCI_BHIM) June 1, 2020
The personal data leaked could be used for extortion of money or private information from users. Given the delicate nature of the documents, the company has also expressed fears about hackers taking advantage of details; like UPU IDs to trace users’ financial records, some of which include minors.
A research team from VPN Mentor, a cybersecurity company, released a report stating that the 409GB of data, which belongs to the BHIM’s website, was stored in a misconfigured AWS S3 bucket list thereby making it publicly accessible and vulnerable. This unsecured database was discovered by the VPN Mentor research team earlier on the 23rd of April; and they alerted India’s Computer Emergency Response Team (CERT-In) on the 28th of April. On the 22nd of May, after the second contact with CERT-In, the breach was closed.
The database mostly contained onboarding documents for opening bank accounts such as; scans of Aadhar IDs, caste certificates, proof of residence, Permanent Account Number (PAN) cards, and screenshots of fund transfers for proof, dating back to February 2019. It also contained more than 1million UPI IDs, which are directly linked to users’ bank accounts.