BHIM app users alert: The personal data of more than 70 lakh Indians has been leaked on the government website, including Aadhaar card, caste certificate, and other documents. The CSC BHIM website is used to promote the UPI payment app BHIM, but it is reported that the website has extensively breached data. CSC e-Governance Service India is a program to provide digital access in rural areas and the CSC Bhim Project was launched to accept UPI payments through the QR code at the village level. However, now a large number of Indian citizens’ data has been leaked on this site.
According to Israeli cybersecurity company vpnMentor, 409 GB of data from Indian users was leaked. Which contained fairly sensitive personally identifiable information. The company says that the information can be hacked from the user’s bank account to the user account from this leak. This deficiency was revealed on 23 April, while it was fixed on 22 May.
However, so far no evidence has been found about whether BHIM App itself has leaked the data, or that there is something wrong with the UPI system.
How was CSC BHIM data breached?
The vpnMentor report claimed that the data collected by BHIM was being stored incorrectly in the Amazon Web Services S3 bucket and was publicly accessible, meaning that anyone could easily access it. This is a common error that comes from many websites setting up cloud systems.
Sensitive data of millions of Indians was stored in cloud storage without imposing any security protocol on their account.
Let me tell you, this data was stored in the unsecured Amazon Web Services (AWS) S3 bucket. S3Bucket is a popular form of cloud storage worldwide, but for this, developers need to install security protocols on their account.
What all data was compromised in the CSC BHIM breach?
According to vpnMentor, the following private documents were leaked on S3 Bucket-
- Scan Aadhar Card
- Scan Caste Certificate
- Photo of Adress Pruen
- Professional certificates, degrees and diplomas
- Screenshots of banking app for fund transfer etc.
- Permanent Account Number (PAN) Card
Apart from all this, the UPI VPA (Transaction ID) of the people was also leaked.
Clollect from Gadgets360.com