Ivan Mehta reports:
A data leak from India’s BHIM payment app exposed personal data of 7 million Indians including addresses, scans of Aadhar IDs, and caste certificates.
A report from cybersecurity company VPN Mentor suggests that this 409GB database was stored in a misconfigured AWS S3 bucket, making all data publicly accessible. The report noted that the database belonged to BHIM’s website, which is mainly used for onboarding users.
Read more on TheNextWeb.
Update: The Hindu reports:
Following a report by security researchers alleging leak of personal data of millions of users of government’s BHIM payment application due to a website breach, the National Payments Corporation of India (NPCI) on Monday denied the claim, asking “everyone to not fall prey to such speculations”.
Their statement:
“We have come across some news reports which suggest data breach at BHIM App. We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations. NPCI follows high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem,” NPCI said in a statement.
When someone describes in detail what they saw and how they got it locked down after repeated efforts, who are you going to believe — them or others who say “Nothing happened at all.” ?