There have been alarming reports in the media since the last week of May 2020 till the recent past about exposure of private data in BHIM App. This may be obviated or denied, and is left to the audience, who are now witnesses to the downing of the website, http://cscbhim.in/. The speculation of 73 Lakh Indians PII (and related information) being exposed in BHIM Data Leak, which has been denied by NPCI has been flooding the digital news forums over the last week or so. The legal maxim “Actus non facit reum nisi mens sit rea”, is seen to be adjusted as the apt description of the present scenario. However, we at “Cyber Secure India” (https://cybersecureindia.in/) advise our esteemed readers not to panic and also ensure that the last mile of your fiscal property i.e. the Bank Account credentials are adequately protected based on the advisories and guidelines issued by the Bank from time-to-time.
An independent Israeli Cyber Security firm ‘vpnMentor’, is said to have reported the breach to the Indian authorities in April. The firm had on 23 April 2020 revealed that the unsecured data bucket on AWS containing data associated with the BHIM app, including details of BHIM customers Aadhaar cards, caste certificates, photos used as proof of residence, professional certificates, degrees, diplomas, screenshots taken within the app as proof of fund transfers, PAN cards, and more have been left exposed for any malicious hacker in an unsecured form. The breach also included the names, date of birth, age, gender, home address, religion, caste status, biometric details, fingerprint scans and ID numbers issued by government agencies in India. “vpnMentor” also reported the total data size was 409GB in size. The company who were managing the services and also the developer of the official Bhim website and the care-taker of sensitive data is understood to be the Common Services Center(CSC) e-Governance Services LTD and also partly managed by the Indian government in an SPV model.
VpnMentor was reportedly working on a huge web mapping project and was said to be using port scanning to examine particular IP blocks to test for weaknesses and vulnerabilities as a generic practice. This is when that they discovered the unsecured AWS S3 Bucket, hosted on IP address 220.127.116.11 and AS No 16509.
The magnitude of the breached data indicates this may by far be the most comprehensive leak of Indian data, especially where a government agency is directly/indirectly involved.
The data was stored on an AWS weakly configured server. This wrongly configured unsecured Amazon Web Services (AWS) S3 bucket was housing the data of vital significance of a salient Financial Services patronized by the Government of India. The S3 buckets are a common way of storing data in the cloud but for a secure utility like BHIM App the owner is required to designate security protocols to secure the data.
The website http://cscbhim.in/ is firstly not even from the “.gov.in” subdomain and also is not stored on a NIC service and is hosted on a private server with Registry being “Endurance Domains Technology LLP” and the Names Server being that of “INSPHERE EARTH”. This cloud service is also seen to be hired by AWS in which a large number of other non-government websites are co-hosted along with the government website and services.
Noam Rotem and Ran Locar, the cybersecurity researchers who discovered the data leak, said: “The sheer volume of sensitive, private data exposed, along with UPI IDs, document scans, and more, makes this breach deeply concerning. The exposure of BHIM user data is akin to a hacker gaining access to the entire data infrastructure of a bank, along with millions of its users’ account information’. Also “As a result, for all the 73 lakh users exposed in this situation, all information including residential address and biometric authentication info were revealed online.” said the researchers. The firm to which there researches belong to (vpnMentor) have also claimed that “over 1 million CSV lists of individual app users and their UPI IDs were also left exposed. Furthermore, the breach is also said to contain an APK which could potentially give key access to all data, and the ability to start and stop the AWS servers at will by any malicious agent who has access to it.”
While the vulnerable data bucket no longer remains in public domain, given that it was open for anyone for over one year, it will remain unclear as to whether any malicious user may have gotten their hands on such data. Despite for the reasons that the NPCI’s is in denial of the incident, the security fraternity have surely raised eye-brows. Also for the fact that any such lapse in security standard may have resulted in failed cyber security status of government-backed digital initiatives, all the aspect is now may have to be subjected to Forensic Audit/Investigation.
Now that the subject website is down and also for the aspect that BHIM users have been sensitized, as also for the fact that the Government through NPCI have issued appropriate advisories and also denied any serious laps; the users need not to panic and also entrust the faith on the government and continue using the digital transaction facility extended by the government (which also incurs huge cost for build, maintenance and security), without fear.