wordpress blog stats
Connect with us

Hi, what are you looking for?

7 million BHIM app records, including Aadhaar and UPI handles breached: VpnMentor

Over 7 million records of BHIM UPI app users were breached, including scans of Aadhaar cards, caste certificates, proof of residence, PAN cards, professional certificates and degrees, according to a report by VpnMentor. The breach included lists of BHIM’s merchants and up to 1 million individual users, along with their UPI handles.

VpnMentor’s research team, led by Noam Rotem and Ran Locar, discovered the breach. According to AP News, Rotem is an Israeli security researcher, who most recently pointed out a breach in an app used by Israel’s ruling conservative party. Rotem and Locar work on behalf of VpnMentor, and have exposed multiple security vulnerabilities.

The data, totaling to 409 GB, was stored on an misconfigured Amazon Web Services S3 bucket belonging to cscbhim.in and was publicly accessible. The website is developed by CSC e-Governance Services Ltd, along with the Ministry of Electronics and Information Technology (MEITY). VpnMentor discovered the breach on April 23, and it was closed nearly a month later on May 22. The firm first contacted CERT-in, India’s nodal agency for cybersecurity threats, on April 28. The firm contacted CSC e-Governance Services on May 5. It contacted CERT-in again on May 22, after which vulnerability was finally closed.

The leaked documents contain sensitive personal information. For instance, caste certificates include name, gender, religion, father’s name, and taluk. The list of merchants and users linked them with their profession and UPI handles. Apart from address, gender, and father’s name, Aadhaar also includes biometrics.

BHIM is a UPI payments app developed by the National Payments Corporation of India (NPCI), a private body funded by public and private sector banks, which regulates UPI and other digital payments. NPCI has denied any breach, stating that “there has been no data compromise at BHIM App” and dismissed reports as speculation. We have reached out to CERT-in for details and comment.

Advertisement. Scroll to continue reading.

According to VpnMentor, the bucket was made for promotion of BHIM, and to get new merchants such as “mechanics, farmers, service providers, and store owners onto the app”. “It’s difficult to say precisely, but the S3 bucket seemed to contain records from a short period: February 2019,” the firm added. “The website was being used in a campaign to sign large numbers of users and business merchants to the app from communities across India,” VPN Mentor said.

BHIM accounted for just 1% of all UPI transactions in April. BHIM has seen over 136 million app downloads, as of May 7. The NPCI, which developed the BHIM app, does not give information on the number of virtual payment addresses (VPAs) created and the number of accounts linked to BHIM.

Written By

I cover health, policy issues such as intermediary liability, data governance, internet shutdowns, and more. Hit me up for tips.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.

Views

News

The DSCI's guidelines are patient-centric and act as a data privacy roadmap for healthcare service providers.

News

In this excerpt from the book, the authors focus on personal data and autocracies. One in particular – Russia.  Autocracies always prioritize information control...

News

By Jai Vipra, Senior Resident Fellow at Vidhi Centre for Legal Policy The use of new technology, including facial recognition technology (FRT) by police...

News

By Stella Joseph, Prakhil Mishra, and Yash Desai The Government of India circulated proposed amendments to the Consumer Protection (E-Commerce) Rules, 2020 (“E-Commerce Rules”) which...

News

By Rahul Rai and Shruti Aji Murali A little less than a year since their release, the Consumer Protection (E-commerce) Rules, 2020 is being amended....

You May Also Like

News

Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

News

By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

Advert

135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...

News

Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Name:*
Your email address:*
*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ