A major data breach at mobile payment app Bharat Interface for Money (BHIM) has exposed the personal and financial data of millions of Indians.
The breach occurred after BHIM failed to securely store vast swathes of data collected from users and businesses during a sign-up campaign.
On April 23, researchers at vpnMentor made the alarming discovery that all the data related to the campaign was publicly accessible after being stored in a misconfigured Amazon Web Services S3 bucket.
"The scale of the exposed data is extraordinary, affecting millions of people all over India and exposing them to potentially devastating fraud, theft, and attack from hackers and cybercriminals," wrote researchers.
Data exposed in the breach included scans of Ardaar cards (India’s national ID cards), Caste certificates, professional and educational certificates, photos used as proof of residence, Permanent Account Number (PAN) cards associated with Indian income tax services, and screenshots captured within financial and banking apps as proof of fund transfers—all documents needed to open a BHIM account.
Private personal user data contained within these documents included names, dates of birth, age, gender, home address, Caste status, religion, biometric details, fingerprint scans, ID photos, and ID numbers for government programs and social security services.
Over 7 million records dating from February 2019 were exposed, some of which belonged to people aged under 18 years old.
After investigating the breach, vpnMentor's team found 409 GB of data stored insecurely by BHIM, which operates via the website www.cscbhim.in. Researchers traced the bucket back to BHIM as it was labeled “csc-bhim.”
Researchers informed BHIM of their discovery but did not receive a response, so contacted India’s Computer Emergency Response Team (CERT-In).
"Many weeks later, we contacted CERT-In a second time," wrote researchers. "Shortly thereafter, the breach was closed."
The Indian mobile payment app was launched in 2016 to facilitate instant e-payments and money transfers between bank accounts via a user's smartphone. By 2020, the popular app had been downloaded 136 million times, according to non-profit business consortium, the National Payments Corporation of India (NPCI).