Personal data of over 7 mn Indians collected for BHIM sign-ups exposed online: ResearcherUpdated: Jun 01, 2020 20:21 IST
Sensitive information of at least seven million Indians, including scans of their Aadhaar cards and snapshots of their banking transactions, was exposed online, according to Israel-based cybersecurity researchers who said they flagged the issue to government agencies which took nearly a month to plug the leak.
The researchers said that the database ran into 409 GB and included data and images collected by the CSC BHIM website.A review of the website by HT showed that this data was collected by government-employed volunteers who were tasked with getting merchants and shopkeepers in small towns and villages to use BHIM, a state-supported payments application promoted during a drive to promote cashless transactions.
Such data is a source of profit for cyber criminals who can either sell it on the dark web or use it for identity theft, which can then be help gain access to a person’s bank accounts. “The scale of the exposed data is extraordinary, affecting millions of people all over India and exposing them to potentially devastating fraud, theft, and attack from hackers and cybercriminals,” the researchers said in their blog post on vpnmentor.com.
The data was stored without security safeguards on an Amazon Web Services (AWS) server “S3 bucket”, the researchers said. “S3 buckets are a popular form of cloud storage across the world but require developers to set up security protocols on their accounts. The exposed S3 bucket was labelled ‘csc-bhim’, and our team was quickly able to identify the developers behind the website ‘www.cscbhim.in’ as the owners of the data,” they said.
CSC is a government agency that helps e-governance projects. According to the CSC BHIM website, it sends village-level entrepreneurs (VLE) – people who sign up to help with grassroots volunteer work, to train “merchants on BHIM App and will tell them the benefits of the BHIM App. After training the merchants, VLEs will install BHIM App on their mobiles and will link their respective bank account with BHIM App”.
The data appears to be Know Your Customer (KYC) documentation for this purpose. Snapshots of such information uploaded by the Israeli researchers with sensitive details redacted showed Aadhaar cards, caste certificates and a database of UPI payment IDs along with the name and the type of business of merchants.
In a statement, CSC e-Governance Services India Ltd denied that personal information was exposed by the server and said that it does not collect Aadhaar data. “Static pages of the portal including e-text content, pdf files, pictures, awareness videos etc was kept public. The project did not involve taking Aadhaar data of any merchant, therefore there is no question of personal identifiable information such as Aadhaar data to be made public,” it said.
The researcher, however, said that Aadhaar card information was part of the database. “We sampled files from the bucket, trying to determine the sensitivity of the data, and its owners; we confirmed the existence of personally identifiable information (Aadhaar cards, caste certificates, photos of electricity poles - probably to determine address),” said Ran Locar, one of the two researchers who found the data.
According to the blog, the leak was first found on April 23 and not fixed till at least May 22. “We reached out to the website’s developers to notify them of the misconfiguration in their S3 bucket and to offer our assistance. After not receiving a reply, we contacted India’s Computer Emergency Response Team (CERT-In), which deals with cybersecurity in the country. Many weeks later, we contacted CERT-In a second time. Shortly thereafter, the breach was closed,” Locar said, adding that it was eventually Cert-In that appears to have acted.
Cert-In did not respond to requests for a comment on the incident. The National Payments Corporation of India (NPCI) said no BHIM data had been breached, but did not reply to a specific question about the information that appears to have been collected in order to sign-up traders for the app.
According to Locar, it was unclear how long the 409GB of data sat on the internet unsecured. “We cannot know for how long it was open, or who accessed it. There is a good chance it has been accessed by parties with criminal intentions. The only ones who can know that are CSC-BHIM themselves - the owners of the data - by conducting a thorough investigation and publishing a forensic report,” the researcher, who is based in Tel Aviv, said.
Cyber security researchers and intelligence experts have warned that such mass data leaks can additionally be used to create citizen profiles that can be used by more sophisticated adversaries, such as state-backed hackers, for national security threats.