The National Payments Corporation of India (NPCI) has refuted reports of data breach on BHIM App. It added that NPCI follows a high level of security to protect the app's infrastructure. "We have come across some news reports which suggest data breach at BHIM App. We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations. NPCI follows high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem," said the NPCI in a statement on Monday.
Reports of BHIM App data breach came after a third-party research report flagged vulnerabilities that might have put crucial data of millions of users at risk. Israeli cybersecurity website vpnMentor said that the security flaw in the CSC BHIM website left data of millions of users exposed to hackers. It was initially reported on April 28 and NPCI fixed the issue by May 23.
The vulnerability that was left unattended by the developers exposed key user details such as Aadhaar card, fund transfer proof, caste certificates, residence proof and a host of membership details, as mentioned in a report in India Today.
According to vpnMentor, the CSC BHIM website was created to garner more memberships for the BHIM App. Some of the data of the memberships were stored on a misconfigured Amazon Web Services S3 bucket that was publicly available. The S3 bucket is a form of cloud storage. This one contained records from as early as February 2019.
"The sheer volume of sensitive, private data exposed, along with UPI IDs, document scans, and more, makes this breach deeply concerning. The exposure of BHIM user data is akin to a hacker gaining access to the entire data infrastructure of a bank, along with millions of its users' account information," cybersecurity researchers at vpnMentor Noam Rotem and Ran Locar said.