Sensitive data of more than 7 million BHIM app users have been compromised after a BHIM-related website was found exposed to the public, containing sensitive documents like Aadhaar cards, caste certificates and more, by an Israeli cybersecurity website called vpnMentor. Calling themselves a group of ethical hackers, they had reported the breach to the Indian authorities in April.
The website, http://cscbhim.in/, now taken down, was reportedly storing data on an Amazon AWS server which was kept exposed to the internet. The breach was later plugged by CSC e-Governance Services that built the website on May 22nd, according to the blog post by the cybersecurity firm.
The magnitude of the breach is extraordinary. The report claims everything from scans of Aadhaar cards, caste certificates, photos used as proof of residence, professional certificates, degrees, diplomas, screenshots taken within the app as proof of fund transfers, PAN cards, and more have been left exposed for any malicious hacker to find it.
The breach also included the names, date of birth, age, gender, home address, religion, caste status, biometric details, fingerprint scans and ID numbers for government social security services.
The corpus of the breached data indicates this is by far the most comprehensive leak of Indian data, one that can easily be used for identity theft. And there have been quite a few over the past few years. The report mentions that the breached website also contained data of minors with some records belonging to people under 18 years.
Similarly, over 1 million CSV lists of individual app users and their UPI IDs were also left exposed.
Furthermore, the breach contained an APK which could potentially give key access to all data, and the ability to start and stop the AWS servers at will by a malicious agent.
Digit.in independently reached out to NCPI to verify the breach. To which, the payments corporation that overlooks the online payments landscape in India, as well as the operations of the BHIM app, denied any compromise in their data.
“We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations,” the organisation said in a statement.
“NPCI follows a high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem,” the statement added.
The website was reportedly used in a campaign to sign up more users and merchants on the BHIM UPI app. The personal records dated as far back as February 2019 with the total size of the dump going up to 409GB.
VpnMentor found an unsecured Amazon Web Services (AWS) S3 bucket housing the data. S3 buckets are a common way of storing data in the cloud but require the developer to designate security protocols to secure the data. The team was quickly able to identify who the data bucket belonged to.
The cybersecurity firm was reportedly working on a huge web mapping project and using port scanning to examine particular IP blocks to test for weaknesses and vulnerabilities. This is when they discovered the unsecured AWS S3 Bucket.
After investigating the breach, vpnMentor first reached out to the website developer CSC e-Governance, for which they did not receive a reply. After that, the group also contacted India’s Computer Emergency Response Team (CERT-In) twice, and only after the second instance was the breach plugged. The website has now been taken down.