BHIM, or Bharat Interface for Money, an India based payment app may have experienced a massive data leak according to a post by VPNMentor. The site claims that a misconfigured AWS S3 Bucket has exposed the information of over 7 million individuals.
BHIM has issued a public statement refuting the claim of a security breach. Earlier today, BHIM issued the following statement:
“We have come across some news reports which suggest data breach at BHIM App. We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations. NPCI follows high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem”.
National Payments Corporation of India (NPCI) was incorporated in 2008 as an umbrella organization for retail payments and settlements in India. NPCI multiple retail payment products including RuPay card, Immediate Payment Service (IMPS), Unified Payments Interface (UPI), Bharat Interface for Money (BHIM), BHIM Aadhaar, National Electronic Toll Collection (NETC Fastag) and Bharat BillPay.
“The scale of the exposed data is extraordinary, affecting millions of people all over India and exposing them to potentially devastating fraud, theft, and attack from hackers and cybercriminals.”
Additionally, VPNMentor reports that the company contacted the website developers to notify them of the misconfiguration in their S3 bucket and to offer assistance. The company says after not receiving a reply, the contacted India’s Computer Emergency Response Team (CERT-In), which deals with cybersecurity in the country. After a second outreach, weeks later, the breach was closed.
The VPNMentor researchers claim the team uncovered the misconfigured servers as part of a web mapping project and the S3 bucket was “completely unsecured and unencrypted.”