vpnMentor Discovers Over Seven Million Sensitive Data Related to BHIM App

The research team at vpnMentor, an online security firm on Sunday said that sensitive financial and personal data related to BHIM, India’s mobile payment app was exposed to the public. The firm said that the data over 400GB containing over seven million sensitive records “affecting millions of people all over India” were being exposed from an “misconfigured Amazon Web Services S3 bucket.” The team said that the sensitive records that were exposed to the public include scans of Aadhaar cards, scans of caste certificates and Permanent Account Number (PAN) cards. According to the vpnMentor report, the research team discovered the issue on April 23 and reached out to India’s Computer Emergency Response Team (CERT) on April 28. However, the breach was said to be closed only on May 22 after the research team at vpnMentor reached out to CERT for the second time.

• Make Telecom Talk My Trusted Source
• 
• 

Exposed Data Include Photos Used as Proof of Residence

In addition to the scans of Aadhaar cards, caste certificates and PAN cards, the report said that the sensitive records exposed to the public include photos used as proof of residence. Additionally, the screenshots taken within financial apps as proof of fund transfers along with professional certificates, degrees and diplomas were also said to be part of the records that were exposed.

“The private personal user data within these documents gave a complete profile of individuals, their finances, and banking records,” vpnMentor said in the report.

The particular set of data from the BHIM app that were exposed were said to be stored on unsecured Amazon Web Services (AWS) S3 bucket.