India's largest bank, State Bank of India (SBI) found itself in the midst of 'data leak' controversy earlier this week. The data leak at the bank's server in Mumbai was more due to carelessness than the work of some devious mind. According to a report in TechCrunch, the bank exposed financial information of its customers through an unprotected server. The exposed data contained partial account numbers, balances, transaction details and much more. The bank has now managed to secure the server but there is still no clarity on whether the server data was mined by any external source.
How did the leak happen?
State Bank of India's Mumbai based data center had a server that wasn't password protected. The server was being used to host banking information of customers using 'SBI Quick' - bank's text and call-based service for staying updated about balances, recent transactions, and credit information. Without a password protected server, the information from SBI Quick was out in the open. The whole leak episode was due to poor configuration by server administrators and lack of server management.
What kind of data was exposed?
The vulnerable server compromised back-end text message system of SBI Quick, divulging the messages going to customers through the service. Since the server was unprotected, the outgoing messages were displayed in real time; this also included the daily archives of messages sent over the last two months. The outgoing messages contained information like bank balances, mobile numbers, recent transactions, and partial account numbers. It isn't too difficult to take advantage of the unprotected server and get all the information required to commit fraud.
What does this mean for the account holder?
The news isn't all bad. The unprotected server didn't give out username or passwords of any account holder. Therefore, there is no direct risk to account security. However, hackers and social engineers can find a lot from the exposed mobile numbers, balance information and recent transactions. Social engineers can trick the account holders to give out further banking details and take away all their money.
What can an account holder do?
Avoid using public Wi-Fi to access your banking account. Unsecured connection are an opportunity for the hacker and can easily introduce malware into your device. Changing passwords regularly is another great habit that will keep your account safe and maintain confidentiality. And, needless to say, don't share your personal details with anyone. If you have received a message about an unauthorised transaction, then immediately contact your bank.
The SBI episode underlines the fact that banks must invest in more robust technologies and have stronger policies and awareness program. They must also use the white hacker approach to take care of any leaks by conducting mock hacking drills. Banks must also regularly update their password management systems.
Edited By: Udit Verma