- The CSC BHIM website had a security flaw exposing millions of UPI users.
- Crucial details such as ID scans, names, certificates and more were left vulnerable.
- The security flaw could cause cybercriminal activities, affecting almost 7.26 million people.
It is quite frequent that you stumble upon reports of vulnerabilities related to data privacy and security found in several apps or websites operated by the government of India. A couple of weeks ago, the Aarogya Setu app was in the limelight for breaching privacy. However, another popular service joins the list today and this is one that a majority of Indians rely on daily -- BHIM. Specifically, it is the CSC website that's connected to the BHIM app.
Update: The NPCI has released an official statement to the media, stating, "We have come across some news reports which suggest data breach at BHIM App. We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations. NPCI follows high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem".
A third-party research report details a glaring vulnerability that may have put crucial data of millions of users at risk. Discovered and reported by vpnMentor, the security flaw in the CSC BHIM website essentially laid all essential data bare for hackers to mine on. The issue was first reported on April 28 and by May 23, the National Payments Corporation of India (NPCI) fixed the issue.
vpnMentor has detailed the security flaw and how it affects the users but here's the entire explanation in brief. The CSC Bhim website, which was created to garner more memberships for the BHIM service, had left open a security flaw. This flaw allowed any hacker with malicious intentions to mine key user details, including scans of Aadhaar card, caste certificates, other ID proofs, fund-transfer proofs, certificates and more. Basically, the entire membership details to the BHIM service was left exposed.
The issue was primarily caused due to a flaw in the CSC BHIM website which was left unattended by the developers. Essentially, the data bank was left unsecured and encrypted, which in the modern digital age could leave user data at big risks. Once the issue was reported, the flaw was patched and the issue does not exist anymore. According to the report, the flaw made approximately 7.26 million user data vulnerable.
While the problem has been fixed, the flaw may have left the data of millions of users at risk. The report says that if any hacker managed to mine the data before the fix, it could lead to several cybercriminal activities such as identity theft, bank frauds, malware attacks and even viral attacks. The UPI ID number of these users along with the names was also easy to mine.
If you use the BHIM service for carrying out transactions, vpnMentor suggests that you reach out to CSC e-Governance Services to learn how the problem is being dealt with. Additionally, it is advisable to keep an eye on your bank transactions as well as other details. If you spot any anomaly in your records, get in touch with your bank as soon as possible.