vpnMentor, an Israeli cyber-security firm, reported a breach of data used to register for the BHIM app, an Indian application for online payments launched in 2016 after demonetization. Reportedly, data of over 7 million users have been leaked. The data was available publicly till 22 May 2020 on Amazon Web Services (AWS) S3 Bucket, which is a type of cloud storage.
The leaked documents include those documents used for app registration:
- Aadhar Cards
- PAN Cards
- Caste Certificates
- Residential Proofs
- Bank Records
How Did The Data Leak?
The National Payments Corporation of India (NPCI) developed the BHIM app in collaboration with CSC e-Government Services Ltd, which is a non-government company now affiliated to the Indian government by a Special Purpose Vehicle (SPV) provision. The website for CSC uses the gov.in domain, and collaborated with Amazon Web Services (AWS) for its cloud storage, using its S3 Bucket storage to store the data for BHIM.
vpnMentor has absolved AWS from the data breach and has placed the responsibility on CSC for its negligence in configuring the storage for data upload.
While the Israeli firm has claimed a serious leak, the Indian Govt has denied any data breach in its statement.
We have come across some news reports which suggest data breach at BHIM App. We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations.National Payments Corporation of India (NPCI)
While the breach did not leak the app users’ data, important documents used in the registration were disclosed to the public.