The Punjab National Bank (PNB) has denied a report by cyber security firm CyberX9, which claimed that a loophole in the bank’s Microsoft Exchange Server left sensitive data of over 18 crore customers exposed on the open web for months.
The bank has claimed its exposed server was only used to route internal emails to Office365, and had nothing to do with sensitive customer data.
This is in contrast to CyberX9’s claim that it could exploit the vulnerable server to get admin level access on one of PNB’s internal servers.
The CyberX9 report claimed that PNB failed to apply the requisite patches that were issued by Microsoft to fix a critical vulnerability on its exchange server.
The vulnerability has been around for over seven months, and the firm claimed that until PNB undertakes a security audit, it should not consider its user data as secure.
A statement in response to the incident by a PNB spokesperson said, “The server wherein the vulnerability was reported,was being used as one of the multiple Exchange Hybrid servers used to route emails from On-prim to Office 365 Cloud. There is no sensitive/critical data in this server.”
"The server is in a separate VLAN segment and customer data/applications are not affected due to this. Vulnerability assessments and penetration testing is done periodically by external Cert-in empanelled Information Security Auditors and the observations are complied with. Now this server has been shut down as a precautionary measure,” the spokesperson further added.
The Microsoft Exchange Server flaw was reported with high critical status, and firms worldwide were advised to apply the issued patches to prevent mass damage in the form of loss of sensitive data or direct financial exploits.
The CyberX9 report further said the PNB neither has a direct security point of contact in its roster, and its lack of speed in applying the patch reflected a lackadaisical approach to cyber security.