Data Breach on CSC BHIM Site Puts 70 Lakhs Indians’ Highly Sensitive Data at Risk

Aadhaar cards, caste certificates, along with other highly sensitive personal data of over 70 lakh Indians have reportedly been exposed by a government website.
The CSC BHIM site, used to promote UPI payments program BHIM, reportedly suffered a huge data breach. The CSC e-Governance Service India is a program to bring digital access to villages, along with the CSC BHIM project was started to get retailers at the village level to start accepting UPI payments through QR codes. Apparently, a tremendous amount of information of Indian taxpayers was accumulated on the site, and this advice has been breached.
In accordance with Israeli cybersecurity firm vpnMentor, 409GB of data of users in India have been subjected, which comprises a huge amount of highly sensitive, personally identifiable data. The business stated that the vulnerability of the user data is comparable to a hacker getting”access to the whole data infrastructure of a lender,” along with users’ account information. The vulnerability was detected early on April 23 and it’s said that the loophole was repaired on May 22.
Depending on the report up to now, there’s absolutely no evidence however that the BHIM program itself was leaking data, or that the UPI system is insecure.
The report from vpnMentor asserts that the information gathered for BHIM deployment has been saved on a misconfigured Amazon Web Services S3 bucket and was”publicly available.” This has been found to be a fairly common error that lots of sites make when establishing their cloud systems. According to vpnMentor, 409GB worth of sensitive information of individuals and several merchants were lying , therefore, exposing them to possible fraud, theft, and attack from hackers and cybercriminals.
Sensitive data of lakhs of Indians was stored in cloud storage with no safety protocols on the accounts to ensure safety.
“. . .the data was saved on an unsecured Amazon Web Services (AWS) S3 bucket. S3 buckets are a favorite form of cloud storage across the world but need developers to prepare the security protocols in their accounts. The vulnerable S3 bucket has been labelled’csc-bhim,’ and our staff was quickly able to identify the programmers behind the site’’ as the owners of the information,” claim Noam Rotem and Ran Locar, cybersecurity researchers at vpnMentor.
In accordance with vpnMentor, the following were some of the private documents that were found at the exposed S3 bucket:
Besides this, the leak also contained UPI VPAs (transaction IDs) of individuals.
Impact of the CSC BHIM data breach
The cybersecurity firm said that the information breach exposes highly sensitive information including individual’s Aadhaar card information, caste certificates, proof of home, professional certifications and degrees, and scans of Permanent Account Number (PAN) cards.
“According to our study, the S3 bucket also included documents and PII [Personally identifiable information] data for minors,” company said. The cybersecurity company explains that having such sensitive financial information in the public domain would make it”incredibly easy to deceive, defraud, and steal out of the people vulnerable.”
“The exposure of personal information may also bring about a broader deterioration of confidence between the Indian public, government bodies, and tech companies,” the company added.
What has the government said within the CSC BHIM data exposure?
The report states that the cybersecurity firm reached out to the programmers of CSC BHIM website to notify about the breach, but no contact was established. The company then achieved India’s Computer Emergency Response Team (CERT-In), which copes with cybersecurity in the nation on April 28 and the problem was reportedly rectified May 22, without further reaction.
Gadgets 360 has also achieved to the National Payments Corporation of India, and Computer Emergency Response Team for much more clarity.

Share this post

Post Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.