The State Bank of India has been entangled in a major controversy after it was discovered that the bank had leaked financial data of millions of its customers.
According to a TechCrunch report, the bank came upon an insecure server that granted anyone access to financial information on millions of its customers. This included information like bank balances and recent transactions.
The server, which was hosted in a Mumbai-based service center, stored two months of data from a text-message and call-based service, SBI Quick, which is owned by the bank. The service used to request information about customers’ bank accounts.
What’s sensational is that the bank didn’t have the server protected by a password, which allowed anyone who was looking to access the data of millions of customers a window to snoop around.
There is still unclearness around how long the server remained unprotected. Yet it was long enough for the flaw to be discovered by a security researcher.
The breach contains sensitive information like phone number and account details of its customers. If hackers were to gain access to this information, they could use those phone numbers to call customers and blackmail them. The leak hasn’t revealed any kind of authentication information like password or user ID, which is a sigh of relief for many SBI customers.
According to TechCrunch, the back-end message system of this service was exposed which was storing millions of text messages.
The unprotected database gave complete access to the text messages going to customers in real time which included the customer’s phone numbers, bank balances and recent transactions. The database also contained some part of the customer’s bank account number. This information could also include when a cheque had been cashed.
It seems that SBI was informed about the issue earlier by an anonymous security researcher which could be the reason TechCrunch quoted an unnamed source who must have feared legal consequences.
This massive story showcases the need for adoption of a ‘Responsible Vulnerability Disclosure’ policy that doesn’t penalise the security researcher community. There is an ISO/IEC 29147 policy now available and companies serious about their security need to adopt this, to safeguard their cyber posture. It is a shame that security researchers are threatened with legal action even when they approach organisations via the responsible disclosure route.
Ankush Johar, Director at Infosec Ventures
Later, TechCrunch got in touch with an India-based security researcher Karan Saini who said “The data available could potentially be used to profile and target individuals that are known to have high account balances”. He further added “knowing a phone number could be used to aid social engineering attacks – which is one of the most common attack vectors in the country with regard to financial fraud”.
What’s ironical is, just a couple of days ago, India’s largest banking network SBI had accused UIDAI of mishandling the data of citizens which led to fake Aadhaar ID cards being created. UIDAI denied the report and said there was no security breach of its system.
Next Read, 5 HTTP Headers You Muts have on Your Site