The popular mobile-based payment app BHIM is under scanner for exposing confidential data of over 7 million users in the country. As per a report, the data was stored on a misconfigured Amazon Web Service S3 bucket and it can be easily accessed.
As per the researchers at vpnMentor, 409GB of data have been exposed to Indian users. The report highlights that data of individuals and several merchants were lying unsecured, which could have exposed potential fraud, identity theft or hackers could have used the information to attack the users.
The report highlights that the S3 bucket contains personal records of users including scans of Adhaar cards, caste certificates, photos of residence proof, professional certificates, degrees and diplomas, screenshots taken within financial and banking apps as proof of transfer, PAN number. The data also leaked personal user data including name, date of birth, age, gender, home address, religion, caste status, biometric details, profile and ID photos as fingerprint scans, ID numbers for government programmes and security services.
Furthermore, the S3 bucket included documents and PII data for minors and massive CSV lists of merchant businesses signed up to BHIM, along with the business owner’s UPI ID number. Similarly, CSV lists of individual app users and their UPI IDs, with over 1 million such entries, were exposed as well.
The report adds the unsecured package was first discovered on April 23 and the researchers reached out to BHIM developers to notify them about the S3 bucket, though there was no response. The researchers then reached India’s Computer Emergency Response Team (CERT-In) about the security flaw and the breach was closed approximately by May 22, 2020.