Aadhaar cards, caste certificates, and other highly sensitive personal data of over 70 lakh Indians have reportedly been exposed by a government website. The CSC BHIM website, used to promote UPI payments app BHIM, reportedly suffered a massive data breach. The CSC e-Governance Service India is a program to bring digital access to villages, and the CSC BHIM project was launched to get merchants at the village level to start accepting UPI payments through QR codes. Apparently, a tremendous amount of data of Indian citizens was gathered on the site, and this information has now been breached.
According to Israeli cybersecurity company vpnMentor, 409GB of data of users in India have been exposed, which includes a huge amount of highly sensitive, personally identifiable information. The company said that the exposure of this user data is akin to a hacker gaining “access to the entire data infrastructure of a bank,” along with users’ account information. The vulnerability was detected first on April 23 and it is said that the loophole was fixed on May 22.
Based on the report so far, there is no evidence yet that the BHIM app itself was leaking data, or that the UPI system is insecure.
How was CSC BHIM data breached?
The report by vpnMentor claims that the data collected for BHIM deployment was being stored on a misconfigured Amazon Web Services S3 bucket and was “publicly accessible.” This has been found to be a fairly common error that many websites make when setting up their cloud systems. As per vpnMentor, 409GB worth of sensitive data of individuals and several merchants were lying unsecured, therefore, exposing them to potential fraud, theft, and attack from hackers and cybercriminals.
Sensitive data of lakhs of Indians was stored in cloud storage without security protocols on the account to ensure safety.
“…the data was stored on an unsecured Amazon Web Services (AWS) S3 bucket. S3 buckets are a popular form of cloud storage across the world but require developers to set up the security protocols on their accounts. The exposed S3 bucket was labelled ‘csc-bhim,’ and our team was quickly able to identify the developers behind the website ‘www.cscbhim.in’ as the owners of the data,” claim Noam Rotem and Ran Locar, cybersecurity researchers at vpnMentor.
What all data was compromised in the CSC BHIM breach?
According to vpnMentor, the following were some of the personal documents that were found in the exposed S3 bucket:
- Scans of Aadhaar cards – India’s national ID
- Scans of Caste certificates
- Photos used as proof of residence
- Professional certificates, degrees, and diplomas
- Screenshots taken within financial and banking apps as proof of fund transfers
- Permanent Account Number (PAN) cards (associated with Indian income tax services)
Aside from this, the leak also included UPI VPAs (transaction IDs) of people.
Impact of the CSC BHIM data breach
The cybersecurity company said that the data breach exposes highly sensitive data including individual’s Aadhaar card information, caste certificates, proof of residence, professional certificates and degrees, and scans of Permanent Account Number (PAN) cards.
“Based on our research, the S3 bucket also contained documents and PII [Personally identifiable information] data for minors,” company said. The cybersecurity company explains that having such sensitive financial data in the public domain would make it “incredibly easy to trick, defraud, and steal from the people exposed.”
“The exposure of private data may also contribute to a broader deterioration of trust between the Indian public, government bodies, and technology companies,” the company added.
What has the government said over the CSC BHIM data vulnerability?
The report states that the cybersecurity company reached out to the developers of CSC BHIM site to inform about the breach, however, no contact was established. The company then reached out India’s Computer Emergency Response Team (CERT-In), which deals with cybersecurity in the country on April 28 and the problem was reportedly rectified on May 22, without further response.
Gadgets 360 has also reached out to the National Payments Corporation of India, and Computer Emergency Response Team for more clarity.