NPCI denies claims of BHIM users data breach

The National Payments Corporation of India on Monday denied any data breach at its Unified Payments Interface- based (UPI) digital payments app BHIM, a day after an Israel-based cybersecurity group reported that seven million sensitive records have been leaked.

“NPCI follows a high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem,” government-run NPCI said in a statement.

The data breach is related to a publicly accessible website, cscbhim.in. The website was being used in a campaign to sign users and business merchants to the app from communities across India. 

Read: NPCI to build a data centre in Chennai

A research team at vpnMentor, led by Noam Rotem and Ran Locar, said it discovered a “massive amount of incredibly sensitive financial data connected to India’s mobile payment app BHIM (Bharat Interface for Money) that was exposed to the public.”

The data included BHIM-linked social security documents of Aadhaar cards, caste certificates, proof of residence, educational certificates, fund transfer screenshots, and Permanent Account Number (PAN) cards.

All related data from the campaign was being stored on a misconfigured Amazon Web Services S3 bucket, according to a blog post published on Sunday. 

The S3 bucket, the cybersecurity researchers said, contained records from February 2019 and exposed data of about 7.3 million people. 

“The scale of the exposed data is extraordinary, affecting millions of people all over India and exposing them to potentially devastating fraud, theft, and attack from hackers and cybercriminals,” the researchers further said.

The flagged website is managed by CSC e-Governance Services India, a special purpose vehicle incorporated under the Companies Act 1956 by the Ministry of Electronics and Information Technology ( MeitY), Government of India. The body, engaged in the promotion of the country’s Digital India programme, monitors the implementation of common services centers scheme (CSCs), according to its website.

The issue, the team said, was reported to India’s Computer Emergency Response Team (CERT-In) on 28 April. The breach was closed on May 22.