BHIM Data Exposed Through Partner Website

BHIM, an Indian app for online transactions, recently witnessed a leak of important data of users through one of its partner sites. While the government has denied a breach, the report mentions data leak of millions of users.

Crux of the Matter

Leaked Data
vpnMentor, an Israeli cyber-security firm, reported a breach of data used to register for the BHIM app, an Indian application for online payments launched in 2016 after demonetization. Reportedly, data of over 7 million users have been leaked. The data was available publicly till 22 May 2020 on Amazon Web Services (AWS) S3 Bucket, which is a type of cloud storage.

The leaked documents include those documents used for app registration:

  • Aadhar Cards
  • PAN Cards
  • Caste Certificates
  • Residential Proofs
  • Bank Records

How Did The Data Leak?
The National Payments Corporation of India (NPCI) developed the BHIM app in collaboration with CSC e-Government Services Ltd, which is a non-government company now affiliated to the Indian government by a Special Purpose Vehicle (SPV) provision. The website for CSC uses the domain, and collaborated with Amazon Web Services (AWS) for its cloud storage, using its S3 Bucket storage to store the data for BHIM.

vpnMentor has absolved AWS from the data breach and has placed the responsibility on CSC for its negligence in configuring the storage for data upload.

Govt Denies
While the Israeli firm has claimed a serious leak, the Indian Govt has denied any data breach in its statement.

We have come across some news reports which suggest data breach at BHIM App. We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations.

National Payments Corporation of India (NPCI)

While the breach did not leak the app users’ data, important documents used in the registration were disclosed to the public.

  • In May 2019 Australian graphic design tool website Canva suffered an attack that exposed email addresses, usernames, names, cities of residence, and salted and hashed with bcrypt passwords (for users not using social logins) of 137 million users. Canva said the hackers managed to view, but not steal, files with partial credit card and payment data.
  • A backdoor in a computer system, a cryptosystem, or an algorithm, is any secret method of bypassing normal authentication or security controls. They may exist for a number of reasons, including by original design or from poor configuration.
  • BHIM (Bharat Interface for Money) named after B. R. Ambedkar, was launched on 30 December 2016 to facilitate e-payments directly through banks as part of the 2016 Indian banknote demonetization and drive towards cashless transactions.