The CSC BHIM website that is used to promote India’s UPI payments app BHIM has reportedly suffered a massive data breach that includes Aadhaar cards, caste certificates, other sensitive personal data of over 7 million Indians stored on the government website.
As reported by vpnMentor, the Israel-based cybersecurity company about 409GB of personal data of users in India have been exposed that includes a huge amount of highly sensitive, personally identifiable information (PII) data. The report notes that this data might have been exposed after a hacker gained “access to the entire data infrastructure of a bank in India” including the users’ account information.
According to the report, there is no evidence that the data was leaked from any issue in the UPI system, it also notes that this vulnerability was first detected on April 23 and it had been fixed on May 22.
The CSC e-Governance Service India is a program to bring digital access to villages, and the CSC BHIM project was launched to get merchants at the village level to start accepting UPI payments through QR codes. Apparently, a tremendous amount of data of Indian citizens was gathered on the site, and this information has now been breached.
How CSC BHIM data got breached?
The report claims that the data obtained for BHIM deployment was being stored on a misconfigured AWS S3 bucket and it was “publically accessible” that is known as a fairly common flaw that many websites make when setting up their cloud system that led to 409GB of sensitive data of users was stored in cloud storage unsecured without security protocols on the account to ensure safety.
“…the data was stored on an unsecured Amazon Web Services (AWS) S3 bucket. S3 buckets are a popular form of cloud storage across the world but require developers to set up the security protocols on their accounts. The exposed S3 bucket was labeled ‘csc-bhim,’ and our team was quickly able to identify the developers behind the website ‘www.cscbhim.in’ as the owners of the data,” claim Noam Rotem and Ran Locar, cybersecurity researchers at vpnMentor.
According to vpnMentor, personal documents that were found in the exposed S3 bucket are listed below:
Scans of Aadhaar cards – India’s national ID
Scans of Caste certificates
Photos used as proof of residence
Professional certificates, degrees, and diplomas
Screenshots with financial and banking apps as proof of fund transfers
Permanent Account Number (PAN) cards
It also includes UPI VPAs (transaction IDs) of users
After the breach was noticed by the cybersecurity company they reached out to the developers of CSC BHIM site to inform about the breach as early as possible but the contact was established, then the team reached out to India’s Computer Emergency Response Team (CERT-In) that deals with the cybersecurity-related issues in the country on April 28th and on May 22 the issue was rectified.
More details about this breach could be reported later.