Data of over 7 million BHIM UPI users was breached, this includes PAN card, Aadhaar card which contains biometric identity of a citizen, caste certificates, proof of residence and various personnel certificates, according to a report released by an Israeli cyber security firm VpnMentor.
Researchers at the firm, Ran locar and Noam Rotter said that a massive amount of incredibly sensitive financial data connected to India’s mobile payment app BHIM was exposed to the public.
They discovered the breach on April 23,2020 and it seemed to have contained data from February 2019. The information was stored on Amazon’s Misinformed AWS S3 bucket, which is a public cloud storage resource and all the information was available publicly until May 22,2020.
In its data breaching report, the firm clearly mentioned that S3 bucket carried information like Aadhaar card, caste certificates, pan card and other confidential information of users, they have also expressed serious concern related to the breached data, as cyber criminals can use these information to meet their illicit goals such as bank fraud, identify theft, tax fraud and many other cyber-crimes.
Two researchers Rotem and locar in a report published by Indian Express mentioned: ‘it stands by the fact that personal data of over 7 million BHIM users was left exposed to anyone with a web browser’.
However ,according to a statement released by National payment corporation of India (NCPI) on June 1, it said: ‘We have come across some news reports which suggest data breach at BHIM App. We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations. NPCI follows high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem’.
Meanwhile, in another statement released by CSC, it denied the claim of data breach by VpnMentor and said that the project doesn’t involve taking Aadhaar card from any merchant. So, there is no such point of personal information such as Aadhaar to be made public.
Rotem and locar asserted the claim as it goes against the evidence the researchers have found and said: ‘We are confused about this claim as it is not supported by the evidence( screenshots of Aadhaar and other confidential information),we have shared with Indian Authorities’.
Last month a similar case was reported with another Indian app – ‘Arogya setu’ where a French hacker, Elliot Alderson on Twitter claimed that ‘ the privacy of 90 million Indians is at stake’ and asked the Indian authority to contact him.
