Like most people, you probably woke up to the news that, 409 GB of sensitive information, related to the BHIM app, was exposed to the public. In their report vpnMentor states that ~7.26 million records were exposed on an unsecured Amazon S3 bucket belonging to http://cscbhim.in/, which is under the https://csc.gov.in/ site.
There has been a lot of speculation about the breach, whom it affects, and to what extent. Let’s understand the details of the data leak, so that we can take the right precautions, instead of pursuing a straw man.
The personal and sensitive information, of millions of Indians using the BHIM app, has been exposed.
Yes, data was exposed on an unsecured Amazon S3 bucket. However, this S3 bucket does not store data from the BHIM app, but from the CSC-BHIM app that is developed and maintained by the Common Services Centres (CSC) e-Governance Services India Limited.
The CSC scheme is a project under the Digital Indian Programme that aims to deliver essential public utility services, social welfare schemes, healthcare, financial, education and agriculture services. CSC e-Governance works to deliver these services through an IT-enabled network that connects the local population with government departments, banks, insurance companies and educational institutions.
The CSC-BHIM site is used by CSC e-Governance to onboard small businesses and farmers onto the BHIM app.
So, unless you are a Village Level Entrepreneur (VLE) manager, or an associated merchant who signed on to the BHIM app in February 2019, through the CSC e-Governance initiative, your data is not affected.
Hackers have found a vulnerability that gives them access to BHIM app users’ data.
To open a BHIM account the app requests for your bank account number, and the mobile number linked to it. And for a merchant account, the app only needs the name of the business, merchant category, address, State, and pincode, in addition to the account number and mobile number. Apart from these details, the BHIM app stores your transaction details.
However, as seen in the report, no bank account details, or transaction details have been exposed. Instead, it has exposed details that the BHIM app does not request or store, including:
The report claims that “These records are highly sensitive, including many documents needed to open an account on BHIM.”
As seen in the previous section, the BHIM app only verifies your bank account number and the mobile number associated with it. In addition, it sends a verification code to validate your number. So, these documents by themselves cannot be used to open a BHIM account.
The report states that the CSV files, which contain the merchants’ business names and UPI IDs, gives hackers “information about a person’s finances and bank accounts. This data would make illegally accessing those accounts much easier.”
The report goes on to claim that: “The exposure of BHIM user data is akin to a hacker gaining access to the entire data infrastructure of a bank, along with millions of its users’ account information.”
As anybody who uses the BHIM app for transactions knows, a person or merchant’s UPI ID does not give any information about their finances and bank accounts. Instead, it is freely shared between people, and prominently displayed by most businesses, to carry out transactions on the app.
Also, UPI IDs and business names are not the same as getting access to a bank’s infrastructure, because it does not reveal the BHIM users’ account numbers, balances, or transactions.
Now that we know the data leak does not affect BHIM app users, we can address its actual impact, and some precautionary measures to prevent misuse of the data.
There is no denying that exposing Personally Identifiable Information (PII) is a breach of privacy and its impact cannot be minimised. It makes the people, whose data has been exposed, prime targets for threat actors. The victims are potentially susceptible to a wide range of attacks including, identity theft, phishing attacks, and social engineering tactics.