A Data Breach at Payment App Bharat Interface for Money Exposed Millions of Indians' Data

Yesterday, the National Payments Corporation of India (NPCI) issued what has to be one of the most unclear media statements we've ever seen. It's precisely three sentences long. The first one states that NPCI's team has seen news reports of a data breach at the Bharat Interface for Money (BHIM) mobile application. The second sentence says that 'there has been no data compromise at BHIM App[sic]' and urges people to avoid falling prey to such 'speculations.' Curiously, the tweet accompanying the statement replaces the word 'speculations' with 'misinformation.' The third and final sentence is a generic statement about how NPCI takes security very seriously.

There really isn't much actual information in NPCI's announcement, which meant that we had to dig a bit further to find out what's going on.

An unprotected S3 bucket exposed the data of millions of Indian users

NPCI's uninformative press release was provoked by a report published by VPNMentor's team of researchers. Those of you who follow cybersecurity news closely know that this particular crew is led by Noam Rotem and Ran Locar, who specialize in finding misconfigured and poorly protected databases that expose unsuspecting users' personal data. You can probably guess where this is going.

On April 23, they discovered a poorly configured AWS S3 bucket that held 409GB of data. The database was not protected by a password, it contained around 7.26 million records, and a brief investigation revealed that its owner was CSC e-Governance Services LTD, the developer of the website dedicated to the Bharat Interface for Money application. The records were dated back to February 2019 and were apparently saved during a campaign aimed at increasing BHIM's popularity.

Bharat Interface for Money is a mobile payment app, and it's only normal to expect that its databases are full of sensitive personal information. Even the researchers were a bit surprised by what they found in the unprotected bucket, though.

The exposed data was highly sensitive

In addition to personal data like names, dates of birth, age, gender information, and contact details, the poorly configured S3 bucket also contained anything from biometric data to scans of Aadhaar cards, caste certificates, and Permanent Account Number (PAN) cards. As VPNMentor's researchers pointed out, this is the sort of information you might find if you're a hacker and you compromise the backend systems of a bank, which shows just how serious the leak was. There was more, though.

The S3 bucket also contained CVS lists of merchants who had signed up for the app, and there was an APK file, which apparently held some AWS key pairs. To stay on the right side of the law, the experts didn't use them, but they speculated that if they're valid, they would have allowed cybercriminals to use BHIM's cloud infrastructure for all sorts of malicious operations.

NPCI’s handling of the breach is appalling

You've probably drawn your conclusions from yesterday's press release, but before you form your final opinion on how the people responsible for the leak handled it, you need to bear a few more things in mind.

VPNMentor's researchers reached out to CSC e-Governance Services immediately after discovering the leaky bucket, but they received no response. Five days later, on April 28, they got in touch with India's Computer Emergency Response Team (CERT) and asked for further assistance. CERT did respond on the following day, but the database remained online. On May 5, the experts once again tried to inform the developers, but their signal fell on deaf ears for the second time. Two and a half weeks later, the researchers alerted CERT again, and the S3 bucket was finally taken offline on May 22.

Delayed reaction aside, we must also say that the leak shouldn't have happened in the first place. Handling that much sensitive information is an enormous responsibility, and it's difficult to find excuses for simple configuration mistakes like putting all the data in a public S3 bucket that isn't protected by any sort of authentication. What is even more worrying, however, is the attempt to downplay the issue.

It's always disappointing to see vendors and developers ignore data breach alerts, but in this case, the problem is bigger because millions of users are put at serious risk of identity theft. Instead of helping affected users through the crisis, however, the NPCI is trying to pretend that nothing has happened and is blaming news reports for spreading "misinformation" and "speculations." This could very well be a guide on how not to handle a data security incident.