Insight on the BHIM data breach case

Published on : 10 Jun 2020

bhim data breach case

In the recent few months, apart from the Corona Virus and Cyclones making strong headlines across news channels and print media, I believe the one news that recently created a stir in the InfoSec fraternity was the news on the 409 GB data breach of BHIM users that was published on May 31, 2020. Needless to say, by default, people turned towards NPCI the premier body for processing of digital data in India.  

What is NPCI?

NPCI is the governing body for operating retail payments and settlement systems in India, responsible for a host of innovative and cutting-edge products such as RuPay card, Immediate Payment Service (IMPS), Unified Payments Interface (UPI), Bharat Interface for Money (BHIM), BHIM Aadhaar, National Electronic Toll Collection (NETC Fastag) and Bharat BillPay.

As an auditor for PCI DSS to NPCI for the past 3 years, I was shocked and surprised at the reporting of the incident, since the facts didn’t add up accurately to me. So, let’s get down to the brass tacks and set the records straight about the entire incident. 

What really happened?

Security researchers Noam Rotem and Ran Locar from Israeli cybersecurity website vpnMentor published a report detailing a breach of approximately 7 million BHIM records. Apparently, the data from February 2019 was stored in a misconfigured Amazon S3 bucket. 

What was the impact?

The leaky AWS S3 bucket was accessible on the internet without any authentication. The 409-gigabyte data dump included personal identifiable information such as Aadhaar card details, residence proof, bank records, caste certificates, along with a complete profile of individuals such as Name, Date of birth, Age and even fingerprint scans.

So, clearly, the vulnerability was NOT IN THE BHIM APP per se, but in a supportive website of another separate organization – CSC.

The leaky S3 bucket does not store data from the BHIM app, but from the CSC-BHIM app that is developed and maintained by the Common Services Centre (CSC) e-Governance Services India Limited. The CSC-BHIM site is used by CSC e-Governance to onboard small businesses and farmers onto the BHIM app.

So, unless you are a Village Level Entrepreneur (VLE) manager, or an associated merchant who signed on to the BHIM app in February 2019, through the CSC e-Governance initiative, your data is not affected.

In any case, all the data as mentioned above, even though if in someone’s direct possession cannot really be used for activating a BHIM account, since the activation requires a verification code which is sent to the mobile number connected to the bank account. 

So, to cut it short, this massive breach of privacy will in no way reveals any data of the person’s finances, bank accounts and transactions details. 

My take on this incident

Having read about the incident, the very first thing that struck me was that the BHIM App is a UPI based payment interface that allows real-time fund transfer using a single identity like your mobile number for any transactions. BHIM app doesn’t have access to any personal data of a user. Further, they have no privacy data stored on any of NPCI infrastructure. All the data in question are generally stored with the relevant banks. To get registered with BHIM and to use the UPI interface, only the users bank account number and mobile number are linked to it. Further, for the final activation, a verification code is sent to the registered number. Apart from these details, BHIM does store the transaction details. 

In either case, had this been a breach in NPCI security, the only data that would have been leaked would be the bank account and transaction details. But, none of these details have been exposed. To set things clear on record, there is absolutely no data of NPCI ever stored on Cloud, be it by AWS or Azure or any other provider. You ask how I know this? Well, being the auditor of NPCI for the past 3 years, I know this as a certifiable fact. So, you ask where NPCI data gets stored? Well, that’s confidential information that can’t be disclosed.

Lastly, no information was provided on whether the researchers followed the practices of ethical reporting and reported the incident to CERT-IN and gave the portal providers (CSC) due chance to fix the bug. I am also not clear as to whether this was a bug reporting that happened or whether the privacy data actually got out into the wild. Further, there was no clarity or evidence given on whether the bug was actually exploited? And whether there was any investigation done to that effect by this reporter or by CERT-IN???

Sadly, none of these clarifications were provided in the print media, which brings me to only questioning the kind of journalism and reporting that happens these days in the industry.

The article that I came across seemed to be just farfetched and misleading, with no clear facts reported or stated, written with an intention to simply garner undue attention. Incidents like this stated on the print media and many more of such similar kind that often floats around in the net is nothing more than a good example of misinformed journalism.

Journalism and reporting that are simply cooked to create a stir and gather attention and views based on FUD (Fear, Uncertainty and Doubt).  I really hope that the authorities take due cognizance of the situation and take action against such cheap journalism tactics. Ideally, the reports should have factual information, stating hard core and well investigated facts rather than just printing half-baked information, without giving a second thought to the impact it would have on the users and innovative products such as BHIM and reputed organization like the NPCI.

If you wish to share any views or comments on my take or for any queries, you can get in touch with me on: Narendra.Sahoo[at]vistainfosec dot com


Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.