Led by Noam Rotem and Ran Locar, vpnMentor’s research team discovered a massive amount of incredibly sensitive financial data connected to India’s mobile payment app Bharat Interface for Money (BHIM) that was exposed to the public.

According to a vpnMentor report, the website was being used in a campaign to sign large numbers of users and business merchants to the app from communities across India. All related data from this campaign was being stored on a misconfigured Amazon Web Services S3 bucket and was publicly accessible.

The BHIM website was developed by a company called CSC e-Governance Services LTD. in partnership with the Indian government, says the report. It appears CSC established the website connected to the misconfigured S3 Bucket to promote BHIM usage across India and sign up new merchant businesses, such as mechanics, farmers, service providers, and store owners onto the app.

It’s difficult to say precisely, but the S3 bucket seemed to contain records from a short period: February 2019. However, even within such a short timeframe, over 7 million records had been uploaded and exposed, say the researchers. 

The 7 million records exposed contain highly sensitive information, including many documents needed to open an account on BHIM, such as:

• Scans of Ardaar cards – India’s national ID
• Scans of Caste certificates
• Photos used as proof of residence
• Professional certificates, degrees, and diplomas
• Screenshots taken within financial and banking apps as proof of fund transfers
• Permanent Account Number (PAN) cards (associated with Indian income tax services)

The private personal user data within these documents gave a complete profile of individuals, their finances, and banking records:

• Names
• Dates of birth
• Age
• Gender
• Home address
• Religion
• Caste status
• Biometric details
• Profile and ID photos, such as fingerprint scans
• ID numbers for government programs and social security services

Based on vpnMentor research, the S3 bucket contained massive CSV lists of merchant businesses signed up to BHIM, along with the business owner’s UPI ID number. Similar CSV lists of individual app users and their UPI IDs, with over 1 million such entries, were also exposed.

The UPI payment system is similar to a bank account in many ways, notes the report; therefore, it would be incredibly valuable to hackers, giving them access to vast amounts of information about a person’s finances and bank accounts. The S3 bucket also contained an Android application package (APK), a file format used by Android’s operating system for the distribution and installation of apps, says the report. AWS Key pairs are the equivalent of admin user/password in Amazon’s infrastructure, potentially giving the holder of the key access to all data, the ability to start and stop servers, access the S3 bucket’s controls, and more.

For examples of data exposed and more details about the data breach, please visit https://www.vpnmentor.com/blog/report-csc-bhim-leak/