A website connected to India’s mobile payment app BHIM has suffered a massive data breach exposing the personal information of millions of its users from across India.
A research team from vpnMentor led by Noam Rotem and Ran Locar, has discovered that the mobile app, which was being used in a campaign to sign large numbers of users and business merchants, was storing information in a misconfigured Amazon Web Services S3 bucket and was publicly accessible.
BHIM, or Bharat Interface for Money, was launched by the National Payments Corporation of India (NPCI) in 2016, to facilitate instant e-payments and money transfers between bank accounts from a user’s phone. Based on recent figures, the app is now being used by more than 136 million users all over India. It is based on the Unified Payments Interface technology and assigns individual users a unique ID number to send and receive money on any associated financial app.
According to research, the data breach took place in February 2019 and has exposed seven million highly sensitive files, including information and documents needed to open an account with BHIM like India’s national ID, photos used as proof of residence, caste certificates, professional certificates, degrees and diplomas, and permanent account number cards that are associated with Indian income tax services. Other information that were exposed include names, dates of birth, home address, gender, religion, and biometric details.
Experts agree that the data breach is deeply concerning as it affects millions of people who could now easily become a victim of fraud, theft and attack from hackers and cybercriminals.