wordpress blog stats
Connect with us

Hi, what are you looking for?

Punjab National Bank exposed personal, financial information of 180 million customers for seven months: Report

The security flaw that left the door open for malicious actors has prompted demands for an independent audit of the bank.

A critical security vulnerability in Punjab National Bank (PNB) exposed the personal and financial data of over 180 million customers for the last seven months, cybersecurity firm CyberX9 claims in a report. The vulnerability was fixed by PNB on November 19 after it was reported to CERT-In and NCIIPC, the firm said.

PNB is India’s second-largest public sector bank and an allegation that all of its customer accounts could’ve been compromised by cyber attackers is alarming. In a statement to MoneyControl, PNB confirmed a vulnerability in one of its servers but denied that any critical data was exposed or other systems were affected. MediaNama has reached out seeking more details.

Cyberattacks and data breaches have been growing rapidly in recent months. Just earlier this month, CyberX9 reported that another large financial company,  Central Depository Services Limited (CDSL), exposed sensitive data of around 4.39 crore investors.

What was the vulnerability at PNB?

CyberX9 reported that on November 17 it discovered a critical vulnerability that gave it access to the highest level of administrator privileges in an internal PNB server, which in turn exposed PNB’s systems nationwide. This unrestricted access could have allowed any malicious attacker to get access to any information on PNB’s network including systems in PNB branches and other departments, the cybersecurity firm said.

An attacker could’ve potentially had the ability to remotely execute any code on them, steal data, make transactions, get complete control of such connected computer systems. – CyberX9

PNB, however, told MoneyControl:

Advertisement. Scroll to continue reading.

“The server wherein the vulnerability was reported, was being used as one of the multiple Exchange Hybrid servers used to route emails from On-prim to Office 365 Cloud. There is no sensitive/critical data in this server. The server is in a separate VLAN segment and customer data/applications are not affected due to this. Now this server has been shut down as a precautionary measure”

CyberX9 also added that the vulnerability discovered at PNB is an actively exploited vulnerability worldwide that malicious attackers have been exploiting for the last seven months. “PNB could’ve easily fixed the vulnerability discovered by us in May 2021 with just a security update to a server application but they didn’t,” the firm said.

What PNB needs to do next?

According to CyberX9, there is “an urgent and important need for an independent and fair security audit of Punjab National Bank ordered by the Government of India” because:

  1. Attackers might have already stolen data: There is a high chance that malicious attackers might have exploited the vulnerability and stolen sensitive data, and there is also a chance that attackers might still be inside PNB’s systems, CyberX9 said.
  2. Lax security practices: PNB’s security practices and posture appears to be in a “horrible state,” which puts customers’ funds and information at a “great amount of risk,” CyberX9 said.

It could take a large team of skilled security and forensic engineers more than a month to re-secure systems and clean up any infiltration, CyberX9 added.

PNB told MoneyControl that vulnerability assessments and penetration testing is done periodically by CERT-In empanelled auditors and all observations made by the auditors are complied with.

Last week, MediaNama reported that an unidentified bank in India is looking to acquire a ‘deception’ infrastructure that will act as a fail-safe in case hackers try to access its valuable information. Perhaps, more banks need to consider such defenses.

The potential impact on funds and data of customers

CyberX9 alleges that malicious actors could’ve exploited the vulnerability to carry out the following activities:

  1. Steal funds from the bank
  2. Steal confidential financial and personal data of all PNB customers
  3. Steal sensitive and confidential internal emails
  4. Send malicious emails from PNB email addresses
  5. Disrupt all of the bank’s operations
  6. Carry out illegal transactions
  7. Encrypt data and demand a ransom

Advertisement. Scroll to continue reading.
Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.

Views

News

India's IT Rules mandate a GAC to address user 'grievances' , but is re-instatement of content removed by a platform a power it should...

News

There is a need for reconceptualizing personal, non-personal data and the concept of privacy itself for regulators to effectively protect data

News

Existing consumer protection regulations are not sufficient to cover the extent of protection that a crypto-investor would require.

News

The Delhi High Court should quash the government's order to block Tanul Thakur's website in light of the Shreya Singhal verdict by the Supreme...

News

Releasing the policy is akin to putting the proverbial 'cart before the horse'.

You May Also Like

News

Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

Advert

135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...

News

Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

News

By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Name:*
Your email address:*
*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ