BHIM Data Breach Exposes Information of 7 Million Users

A massive data breach at the India-based payments platform BHIM was reportedly found by cybersecurity website vpnMentor. The findings of the security researcher revealed that more than 7 million user records were exposed and stemmed from their mobile payment app.

BHIM is short for Bharat Interface for Money, an Indian mobile payment platform launched in 2016. The app was created mainly to help facilitate cashless transactions in the country and shuttle in hassle-free payments to and from bank accounts with the use of a mobile device.

According to vpnMentor, BHIM’s data was stored in a misconfigured Amazon Web Services S3 bucket and was made accessible to the public. The incident was first discovered on April 23, 2020, with an action only being issued on the 22nd of May 2020.

BHIM Data Breach

According to security researchers, the breach occurred when the CSC connected the website of BHIM to the misconfigured Amazon Web Services S3 bucket. The action was reportedly done to connect with merchant businesses such as farmers, mechanics, store owners, and service providers.

Included in massive 7 million data breach were Ardaar cards, otherwise recognized as the national ID of India, as well as caste certificates. Proof of residence, such as photographs, were also compromised. Moreover, personal info such as professional certificates, degrees, and diplomas was also available.

Apart from the aforementioned, the users’ permanent account number (PAN cards), names, dates of birth, age, address, religion, caste status, biometric details, profile ID and photos, and government ID numbers were revealed in the data breach, notes The Indian Express.

Following the discoveries by the security researchers, lead researchers Noam Rotem and Ran Locar immediately notified the developers of the app which is a company called CSC e-Governance Services Ltd. However, the team was unable to get any response, reports the Economic Times.

With that, the team behind vpnMentor reportedly reached out to the Computer Emergency Response Team (CERT-In) to disclose the breach.

Despite these claims, the National Payments Corporation of India (NPCI) maintains that there is no data breach nor data privacy vulnerability on the BHIM application. In a statement, it said, “We would like to clarify that there has no been data compromise at BHIM App and request everyone to not fall prey to such speculations.”

Furthermore, NPCI also said that they follow[s] high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem.

The researchers in question told The Indian Express that they stand by the said report.