7.26 Million Data Records Of BHIM App Users Reported To Be Leaked Online, NPCI Denies Claim

New Delhi: Security researchers have found out that 7.26 million records of digital transaction app BHIM, have been exposed publically on a website. Report from VPN review website vpnMentor reveals that the leaked data includes sensitive information like Aadhar card details of account holders, besides names, gender, age, home address, caste status, etc. "The scale of the exposed data is extraordinary, affecting millions of people all over India and exposing them to potentially devastating fraud, theft, and attack from hackers and cybercriminals," the security researchers from vpnMentor wrote in a blog post. The people who found about the leak contacted India's Computer Emergency Response Team (CERT-In) twice and the breach was dealt with and closed late last month. The BHIM website has been developed by CSC e-Governance Services LTD. in partnership with the Indian government. "In this case, the data was stored on an unsecured Amazon Web Services (AWS) S3 bucket. We reached out to the website's developers to notify them of the misconfiguration in their S3 bucket and to offer our assistance. After not receiving a reply, we contacted India's Computer Emergency Response Team (CERT-In), which deals with cybersecurity in the country," they added. The leak was discovered in April and the data that has been exposed to is close to 409GB. "It's difficult to say precisely, but the S3 bucket seemed to contain records from a short period: February 2019. However, even within such a short timeframe, over 7 million records had been uploaded and exposed." The report has stated that the exposure of BHIM user data is like a hacker gaining access to the entire data infrastructure of a bank, along with millions of its users' account information. Now the National Payments Corporation of India (NPCI) has denied the security breach. The organisation took to Twitter and wrote, "NPCI follows high levels of security to protect its data infrastructure. We would like to clarify that there has been no compromise in data and request all to not fall prey to misinformation. Click to read the official press statement from NPCI."

NPCI follows high levels of security to protect its data infrastructure. We would like to clarify that there has been no compromise in data and request all to not fall prey to misinformation. Click to read the official press statement from NPCI.https://t.co/p5Xa2U6ZvJ

— India Be Safe. India Pay Digital. (@NPCI_NPCI) June 1, 2020

Bharat Interface for Money, popularly known as the BHIM app, was launched in 2016. (With Agency Inputs) WATCH: What is Dark Web And Why You Should Stay Away From It