BHIM Suffers Data Breach, Exposes Financial Details of over 7 Million Indians


Recently, there was a massive breach that took place in India. A mobile payment app named BHIM allegedly suffered a data breach that exposed sensitive financial data information of over 7 million users.

BHIM Data Breach

The security bug as soon as it was noticed was reported to the NCPI on April 23, and took around a month to get fixed. It was then discovered that a massive amount of sensitive financial data connected to India’s BHIM mobile payment app had been breached which caused an invasion on the privacy of a lot of people.  

Now, according to the cybersecurity website, all data from the BHIM website, was stored on a “misconfigured Amazon Web Services S3 bucket” and was easily accessible to anyone. Moreover, these were the data used in a campaign in order to get millions of Indian users and business merchants to start using the app. 

The place where the data were publicly accessible, S3 bucket are among the most popular forms of cloud store globally which require developers to set up the protection obligations on their accounts. Since it wasn’t configured accurately, the data may have been easily accessed by hackers and cybercriminals. This is not the first time that a data breach has taken place in India. Recently, there was an invasion of more than 2 corer data that revealed the Adhar card details of the citizens. 

However, as the core problem for the data breach was found the security research team at vpnMentor who was handling the case tried reaching out to the website’s developers about the misconfiguration. And sadly they stated that they did not receive any response.

Here’s Full Report from the VPNMentor Team:

So, after not receiving any response for up to five days, vpnMentor contacted India’s Computer Emergency Response Team (CERT-In) about the issue in order to solve the issue. And luckily the security issue was finally fixed around May 22, after the CERT was contacted a second time.

As for the records, vpnMentor stated that there were around 7.26 million records in the S3 bucket, with the total size estimated to be 409GB that was breached. It also included scans of Aadhaar cards, caste certificates, photos used as proof of residence, Permanent Account Number (PAN) cards, and more giving a complete profile of the individual.  It also had personal details such as their full names, age, residential address, biometric details, banking records, and ID numbers for various government programs. 

Although the information has been denied by officials, there has a clear suspicion that it was done to avoid the chaos in public welfare. 

Data breaches have been very common these days. If we are aware of the cyberwar act that took place a while ago then we might as well know that this is a very critical situation and can result in the privacy intrusion of many people. 

As for the current situation in the context of Nepal, there has been a  hike in the e-commerce users in Nepal and with the increase of the users, the possibilities of a data breach also increase. So, as we know prevention is better than cure, e-wallet, mobile banking, and all the e-commerce users should also wary and not share every single detail on the internet. Users should be very careful and considerate before sharing their personal information on the sites as well. 

Leave a Reply