Data breach on Indian mobile payment app BHIM exposes 7 million records

A data breach on a government-promoted payments app BHIM in India has resulted in some highly sensitive personal data of over 7 million people getting exposed. The vulnerability and the data exposure was brought to the fore by an Israeli cybersecurity company. 

The CSC BHIM website is used for financial transactions through a unified payment interface (UPI) as part of the federal government's digital access initiatives in the villages. The BHIM project was initially launched to drive digital payments for merchants across rural India. The app was developed by the National Payment Corporation of India, a state-owned enterprise. 


The NPCI has meanwhile denied that there has been any security breach that caused user data to be compromised. “We have come across some news reports which suggest data breach at BHIM App. We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations. NPCI follows high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem,” the NPCI statement said.

Israeli cybersecurity agency vpnMentor, which found the data breach, said more than 400 GB of user data was compromised and these included details of Aadhar registrations, caste certificates and other personal data that could be used to identify people and businesses.  

The company claimed that the hacker would now possess complete data of users and likened it to gaining access to the data infrastructure of a bank with all user account information. It said the vulnerability was first detected on April 23 and was reportedly fixed nearly a month later on May 22. 

Though there is no evidence to point out that the BHIM app itself was leaking data or that the UPI system was insecure, the security agency says that some more research is required to highlight the vulnerabilities so that future threats can be avoided. 

Ironically, news of the breach comes when #CSCSocialMediaDay has been trending on Twitter. 

In the report, vpmMentor says the data collected for deploying the BHIM app was stored on a mis-configured Amazon Web Services S3 bucket that was accessible publicly. This, the agency said, is a common error that many companies do when setting up their cloud systems. The data that lay unsecured amounted to 409 GB and contained information about individuals and several merchants. 

The UPI payment system is similar to a bank account and is valuable to hackers in general. It gives them access to vast amounts of information about a person's finances and bank accounts, which can then be used to illegally access them and make fraudulent  transactions. 

The statement from vpnMentor research team said it discovered the misconfiguration in CSC’s S3 bucket as part of a huge web mapping project. “Our researchers use port scanning to examine particular IP blocks and test different systems for weaknesses or vulnerabilities. They examine each weakness for any data being exposed,” the report said.

This is not the first time that vulnerability issues have been by third-parties around apps in India. The Covid-19 tracing app Aarogya Setu saw several such reports including an ethical hacker in Bangalore who claimed he broke into the system in a very short time. The administration took cognisance of these reports and offered a bugs bounty program after sharing the code base on public domains like GitHub. 

No comments yet.

Leave a Reply

in development