India’s largest bank, the State Bank of India (SBI), has leaked the financial data of millions of its customers, according to a TechCrunch report.
The bank, according to TechCrunch on Wednesday (Jan.30th), left a server with the banking data of its customers unprotected.
The reported server made sensitive data accessible for anyone to view, but the issue appears to have been fixed.
The unprotected server was discovered at one of its data centres in Mumbai by a security researcher, who preferred to remain anonymous.
The server, which stored two months of financial data from SBI Quick, is a text message and call-based system that allows customers to review their recent transactions, balances, and credit information.
However, the bank had not protected its server using a password, thus giving anyone, who knew where to look, access to the bank details of millions of customers.
‘SBI Quick’ messages
The report explains that the password-less server housed a back-end-system on the SBI Quick service, which exposed sent messages to customers. Due to an insecure database, TechCrunch confirmed that the researcher was able to see outgoing messages in real time as well as daily archives of messages sent over the last two months.
TechCrunch was able to confirm the bank sent out over three million text messages, through the server holding information, on one day alone.
To further verify the authenticity of the data, TechCrunch asked security researcher Karan Saini to send a text message to the system. “Within seconds, we found his phone number in the database, including the text message he received back”.
“The data available could potentially be used to profile and target individuals that are known to have high account balances,” said Saini in a message to TechCrunch. Saini said that knowing a phone number “could be used to aid social engineering attacks — which is one of the most common attack vectors in the country with regard to financial fraud,” he said.
Though the issue has been fixed, it still remains unclear how long their server was left unprotected. The Bank is yet to verify how many users were affected by the breach.
Aadhaar data breach
Just days earlier, SBI had accused Aadhaar’s authority, Unique Identification Authority of India (UIDAI), of mishandling citizen data that allowed fake Aadhaar identity cards to be created.
However, UIDAI, dismissed the allegations, by saying there was “no security breach“ of its systems.
“Data protection is virtually impossible”
Commenting on the latest data breach, Ilia Kolochenko, CEO of web security firm High-Tech-Bridge, said: “In light of the economic slowdown in many developed countries, India is becoming a growing and dynamic market both for entrepreneurs and cybercriminals. Many new startups start offering various e-services related to micro-finance and other niches that involve the handling of personal and financial data. At the same time, the best cybersecurity minds of the country are employed by Western companies, creating a considerable skills shortage for local companies.
“Cybercriminals carefully monitor and analyse emerging opportunities for low hanging fruit, and undoubtedly India will become a priority on their criminal To Do list.
“Speaking about this particular leak, I think virtually any large financial organisations may face a similar incident. Modern IT infrastructures are so complicated that virtually no single company has an up2date and holistic inventory of their digital assets, let alone continuous monitoring and related security processes. While data sharing with trusted third-parties makes privacy and data protection virtually impossible.”