The Bharat Interface for Money (BHIM) app is based on the UPI (Unified Payments Interface) mechanism and owned by NPCI (National Payments Corporation of India) to provide better bank to bank money transfer in India. Currently, the BHIM app has over 136 Million users.
Security researchers from VPN Mentor discovered the unsecured database on 23rd April 2020 but announced recently. The exposed database belonged to the BHIM app's Website (http://cscbhim.in/) that was being used to promote its usage across India and sign large numbers of business merchants to the app.
The data was exposed due to misconfigured Amazon Web Services (AWS) S3 bucket which contains 409 GB of data. The exposed database contains user records from February 2019 onwards.
The exposed data include Personally identifiable information (PII) including names, dates of birth, age, gender, residential address, biometric details, Aadhaar card images – India's national ID, bank records, PAN number, cast certificates, professional certificates, and full profile of BHIM customers. It also contains more than 1 Million UPI IDs that are directly linked with the user's bank accounts.
Security researchers also informed the CERT-In (Computer Emergency Response Team, which deals with cybersecurity in India) about the massive data breach on 28th April 2020. The breach was closed on 22nd May 2020.
It is concerning that the scale of personal data exposure is too large. So, currently millions of BHIM users all over India at risk of identity theft, fraud, and cyberattacks from cybercriminals.
If you are a BHIM app user and concerned about how this massive data breach might impact you, contact CSC e-Governance services directly to find out what steps they are taking to resolve the issue and keep your personal data safe.
Security researchers also advised developers of the BHIM website that they could have easily avoided this massive data breach if they have taken these basic security measures :
1) Using proper access rules
2) Protecting its servers
3) Securing system access
4) Creating strong passwords and Using strong encryption
If you have any questions related to the Indian mobile payment BHIM app's massive data breach and also want to share your views on this topic then please mention in the comments box and I will get back to you.