On Sunday, May 31, 2020, a few security researchers reported a major data breach related to a government website in India.
What happened?Security researchers Noam Rotem and Ran Locar from vpnMentor published a report detailing a breach of approximately 7.26 million records related to India’s e-Governance website.
The researchers stated that the data was exposed through a misconfigured Amazon Web Services (AWS) S3 storage bucket containing 409 GB of data, including sensitive profile information and financial data related to the BHIM app users.
Digging deeperAlthough the data breach has been associated with the widely used BHIM app, the app itself did not suffer any data breach.
The breach occurred at one of the e-governance websites (https://cscbhim.in) developed for the Common Service Centres (CSC) program which aims to deliver the Government of India e-governance services to rural and remote locations where availability of computers and the internet is scarce. The data related to BHIM app users was stored on an exposed S3 bucket hosted by the CSC website that suffered the leak.
In response to the incident, NPCI, the maker of the BHIM app, has released a press statement saying, “We have come across some news reports which suggest data breach at BHIM App. We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations. NPCI follows a high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem.”