According to security researchers Noam Rotem and Ran Locar from vpnMentor approximately 7.26 million records were exposed through Amazon web services S3 storage bucket. The breach occurred at one of the e-governance websites https://cscbhim.in developed for the Common Service Centres (CSC) program.
The leaked data included sensitive profile information and financial data related to the BHIM app users. The data of BHIM app users that suffered the leak was stored on an exposed S3 bucket hosted by the CSC website bucket.
AWS S3 bucket was accessible on the internet without any authentication. It included the users’ Aadhar card scans, caste certificates, PAN numbers, and other PII data of applicants and UPI ID of the users. But the app itself did not suffer any data breach.
The maker of the BHIM app released a press statement saying, “We have come across some news reports which suggest data breach at BHIM App. We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations. NPCI follows a high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem.”
Since the app itself was not breached, users can continue to use it with precaution. Adcy.io recommends to never share sensitive financial information, use unique, strong passwords and two-factor authentication.