A data leak from India’s BHIM payment app exposed personal data of 7 million Indians including addresses, scans of Aadhar IDs, and caste certificates.
A report from cybersecurity company VPN Mentor suggests that this 409GB database was stored in a misconfigured AWS S3 bucket, making all data publicly accessible. The report noted that the database belonged to BHIM’s website, which is mainly used for onboarding users.
For the uninitiated, BHIM is an app based on the Unified Payments Interface (UPI) platform by the National Payments Corporation of India. Paytm, Google Pay, PhonePe, and WhatsApp payments are some other notable services that use UPI to facilitate financial transactions.
According to VPN Mentor, its research team discovered the unsecured database on April 23, and it notified India’s Computer Emergency Response Team (CERT-In) on April 28. The breach was closed on May 22, when the company made contact with CERT-In for the second time.
The cybersecurity firm said the database contained records from February 2019. The database mostly contained onboarding documents to open a bank account such as scans of Aadhar IDs, caste certificates, proof of residence, Permanent Account Number (PAN) cards, and screenshots of fund transfers for proof. VPN Mentor’s report noted that it also contained more than 1 million UPI IDs; these IDs are directly linked with users’ bank accounts.
According to the app’s official account, people have made more than 1 billion transactions on average in each of the past three months.
With over a billion monthly transactions, UPI has been surging as the preferred mode of payment throughout the country. Use BHIM UPI and transform the way you transact. #DigitalIndia #InstantPayments #NPCI #BHIMUPI #PaySafe #StaySafe @dilipasbe pic.twitter.com/tZZLqC0VI8
— BHIM (@NPCI_BHIM) June 1, 2020
This exposed data can have serious implications as it might be used to extract money or information from the users. Plus, given the sensitivity of documents, hackers can use details such as UPI ID to look into the financial records of these users, which include minors.
We have reached out to NPCI and CERT-In for more details, and we’ll update the story if we hear back.