The research team at vpnMentor, an online security firm on Sunday said that sensitive financial and personal data related to BHIM, India’s mobile payment app was exposed to the public. The firm said that the data over 400GB containing over seven million sensitive records “affecting millions of people all over India” were being exposed from an “misconfigured Amazon Web Services S3 bucket.” The team said that the sensitive records that were exposed to the public include scans of Aadhaar cards, scans of caste certificates and Permanent Account Number (PAN) cards. According to the vpnMentor report, the research team discovered the issue on April 23 and reached out to India’s Computer Emergency Response Team (CERT) on April 28. However, the breach was said to be closed only on May 22 after the research team at vpnMentor reached out to CERT for the second time.
Exposed Data Include Photos Used as Proof of Residence
In addition to the scans of Aadhaar cards, caste certificates and PAN cards, the report said that the sensitive records exposed to the public include photos used as proof of residence. Additionally, the screenshots taken within financial apps as proof of fund transfers along with professional certificates, degrees and diplomas were also said to be part of the records that were exposed.
“The private personal user data within these documents gave a complete profile of individuals, their finances, and banking records,” vpnMentor said in the report.
The particular set of data from the BHIM app that were exposed were said to be stored on unsecured Amazon Web Services (AWS) S3 bucket.
“S3 buckets are a popular form of cloud storage across the world but require developers to set up the security protocols on their accounts,” vpnMentor said in the report.
Further, the vpnMentor team provided samples of the document stored in the misconfigured AWS S3 bucket including scans of Aadhaar card and caste certificate.
Data Breach Could Result in Identity Theft and Tax Fraud
The report said that the volume of the sensitive data that were exposed to the public made the data breach “deeply concerning.”
Identity theft and tax frauds were listed on the report as the possible crimes that could be committed by cybercriminals based on the data breach. Additionally, the report said that hackers could access BHIM account and withdraw large amounts of money.
“The exposure of private data may also contribute to a broader deterioration of trust between the Indian public, government bodies, and technology companies,” vpnMentor said in the report. “Data privacy is a huge concern for people from all sections of society, and many people could be reluctant to adopt a software tool linked to such a scandal.”
The report said that the BHIM users concerned about the data breach might reach out to CSC e-Governance Services directly to understand the steps that are being taken by them to resolve the issue.
