The State Bank of India has been embroiled in a major controversy after it was discovered that the bank had leaked financial data of millions of its customers.
According to a TechCrunch report, the bank came upon an unprotected server that granted anyone access to financial information on millions of its customers. This included information like bank balances and recent transactions.
The server, which was hosted in a Mumbai-based service centre, stored two months of data from a text-message and call-based service, SBI Quick, which is owned by the bank. The service used to request information about customers’ bank accounts.
What’s shocking is that the bank didn’t have the server protected by a password, which allowed anyone who was looking to access the data of millions of customers a window to snoop around.
There is still ambiguity around how long the server remained unprotected. Yet it was long enough for the flaw to be discovered by a security researcher.
The breach contains sensitive information like phone number and account details of its customers. If hackers were to gain access to this information, they could use those phone numbers to call customers and blackmail them. The leak hasn’t revealed any kind of authentication information like password or user ID, which is a sigh of relief for many SBI customers.
The SBI Quick feature is mostly used by customers who used feature phones. It allows users to text the bank, or make a call, whereby they can retrieve information by text messages about their accounts. This form of communication is ideal for SBI as it majorly caters to consumers who cannot afford smartphones or are unable to operate them. Poor network is another factor this service is pushed.
This service makes it easier for customers when they want to know the status of their last five transactions, block an ATM card and make inquiries about home or car loans.
According to TechCrunch, the back-end message system of this service was exposed which was storing millions of text messages.
The unprotected database gave complete access to the text messages going to customers in real time which included the customer’s phone numbers, bank balances and recent transactions. The database also contained some part of the customer's bank account number. This information could also include when a cheque had been cashed.
It seems that SBI was informed about the issue earlier by a anonymous security researcher which could be the reason TechCrunch quoted an unnamed source who must have feared legal consequences.
This massive story showcases the need for adoption of a ‘Responsible Vulnerability Disclosure’ policy that doesn’t penalise the security researcher community. There is an ISO/IEC 29147 policy now available and companies serious about their security need to adopt this, to safeguard their cyber posture. It is a shame that security researchers are threatened with legal action even when they approach organisations via the responsible disclosure route.Ankush Johar, Director at Infosec Ventures
Later, TechCrunch got in touch with an India-based security researcher Karan Saini who said “The data available could potentially be used to profile and target individuals that are known to have high account balances”. He further added “knowing a phone number could be used to aid social engineering attacks – which is one of the most common attack vectors in the country with regard to financial fraud”.
What’s ironical is, just a couple of days ago, India's largest banking network SBI had accused UIDAI of mishandling the data of citizens which led to fake Aadhaar ID cards being created. UIDAI denied the report and said there was no security breach of its system.
Currently, there is no information on how much data has been compromised. The bank is yet to comment on the breach.
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)