[BreachExchange] Payment App Data Breach Exposes Millions of Indians' Data

Destry Winant destry at riskbasedsecurity.com
Thu Jun 4 10:12:25 EDT 2020


A major data breach at mobile payment app Bharat Interface for Money
(BHIM) has exposed the personal and financial data of millions of

The breach occurred after BHIM failed to securely store vast swathes
of data collected from users and businesses during a sign-up campaign.

On April 23, researchers at vpnMentor made the alarming discovery that
all the data related to the campaign was publicly accessible after
being stored in a misconfigured Amazon Web Services S3 bucket.

"The scale of the exposed data is extraordinary, affecting millions of
people all over India and exposing them to potentially devastating
fraud, theft, and attack from hackers and cybercriminals," wrote

Data exposed in the breach included scans of Ardaar cards (India’s
national ID cards), Caste certificates, professional and educational
certificates, photos used as proof of residence, Permanent Account
Number (PAN) cards associated with Indian income tax services, and
screenshots captured within financial and banking apps as proof of
fund transfers—all documents needed to open a BHIM account.

Private personal user data contained within these documents included
names, dates of birth, age, gender, home address, Caste status,
religion, biometric details, fingerprint scans, ID photos, and ID
numbers for government programs and social security services.

Over 7 million records dating from February 2019 were exposed, some of
which belonged to people aged under 18 years old.

After investigating the breach, vpnMentor's team found 409 GB of data
stored insecurely by BHIM, which operates via the website
www.cscbhim.in. Researchers traced the bucket back to BHIM as it was
labeled “csc-bhim.”

Researchers informed BHIM of their discovery but did not receive a
response, so contacted India’s Computer Emergency Response Team

"Many weeks later, we contacted CERT-In a second time," wrote
researchers. "Shortly thereafter, the breach was closed."

The Indian mobile payment app was launched in 2016 to facilitate
instant e-payments and money transfers between bank accounts via a
user's smartphone. By 2020, the popular app had been downloaded 136
million times, according to non-profit business consortium, the
National Payments Corporation of India (NPCI).

More information about the BreachExchange mailing list