Like most people, you probably woke up to the news that, 409 GB of sensitive information, related to the BHIM app, was exposed to the public. In their report vpnMentor states that ~7.26 million records were exposed on an unsecured Amazon S3 bucket belonging to http://cscbhim.in/, which is under the https://csc.gov.in/ site. There has been a lot of speculation about the breach, whom it affects, and to what extent. Let’s understand the details of the data leak, so that we can take the right precautions, instead of pursuing a straw man.
Myth vs Fact
1. The exposed data does not belong to BHIM app users
Myth:The personal and sensitive information, of millions of Indians using the BHIM app, has been exposed.
Fact:Yes, data was exposed on an unsecured Amazon S3 bucket. However, this S3 bucket does not store data from the BHIM app, but from the CSC-BHIM app that is developed and maintained by the Common Services Centres (CSC) e-Governance Services India Limited.
What is CSC e-Governance and how is it related to BHIM?The CSC scheme is a project under the Digital Indian Programme that aims to deliver essential public utility services, social welfare schemes, healthcare, financial, education and agriculture services. CSC e-Governance works to deliver these services through an IT-enabled network that connects the local population with government departments, banks, insurance companies and educational institutions. The CSC-BHIM site is used by CSC e-Governance to onboard small businesses and farmers onto the BHIM app. So, unless you are a Village Level Entrepreneur (VLE) manager, or an associated merchant who signed on to the BHIM app in February 2019, through the CSC e-Governance initiative, your data is not affected.
2. Hackers have not found a vulnerability in the BHIM app
Myth:Hackers have found a vulnerability that gives them access to BHIM app users’ data.
Fact:To open a BHIM account the app requests for your bank account number, and the mobile number linked to it. And for a merchant account, the app only needs the name of the business, merchant category, address, State, and pincode, in addition to the account number and mobile number. Apart from these details, the BHIM app stores your transaction details. However, as seen in the report, no bank account details, or transaction details have been exposed. Instead, it has exposed details that the BHIM app does not request or store, including:
- Scans of Aadhaar cards
- Scans of Caste certificates
- Photos used as proof of residence
- Professional certificates, degrees, and diplomas
- Screenshots taken within financial and banking apps as proof of fund transfers
- Permanent Account Number (PAN) cards (associated with Indian income tax services)
- Date of birth
- Home address
- Caste status
- Biometric details
- Profile and ID photos, such as fingerprint scans
- ID numbers for government programs and social security services
3. The data exposed cannot be used to open a BHIM account
Myth:The report claims that “These records are highly sensitive, including many documents needed to open an account on BHIM.”
Fact:As seen in the previous section, the BHIM app only verifies your bank account number and the mobile number associated with it. In addition, it sends a verification code to validate your number. So, these documents by themselves cannot be used to open a BHIM account.
4. The leaked UPI IDs do not give hackers information about a person’s finances and bank accounts
Myth:The report states that the CSV files, which contain the merchants’ business names and UPI IDs, gives hackers “information about a person’s finances and bank accounts. This data would make illegally accessing those accounts much easier.” The report goes on to claim that: “The exposure of BHIM user data is akin to a hacker gaining access to the entire data infrastructure of a bank, along with millions of its users’ account information.”
Fact:As anybody who uses the BHIM app for transactions knows, a person or merchant’s UPI ID does not give any information about their finances and bank accounts. Instead, it is freely shared between people, and prominently displayed by most businesses, to carry out transactions on the app. Also, UPI IDs and business names are not the same as getting access to a bank’s infrastructure, because it does not reveal the BHIM users’ account numbers, balances, or transactions.
How to deal with the data leak?Now that we know the data leak does not affect BHIM app users, we can address its actual impact, and some precautionary measures to prevent misuse of the data.
Who should be concerned?
- Village Level Entrepreneur (VLE) managers, who are CSC partners helping onboard merchants.
- Merchants who signed on to the BHIM app, through the CSC e-Governance initiative, in and around February 2019.
What is the impact of the data exposure?There is no denying that exposing Personally Identifiable Information (PII) is a breach of privacy and its impact cannot be minimised. It makes the people, whose data has been exposed, prime targets for threat actors. The victims are potentially susceptible to a wide range of attacks including, identity theft, phishing attacks, and social engineering tactics.
What are some precautions the victims should take?
- Use strong passwords that are difficult to brute-force.
- Be wary of calls or emails in which the caller or sender details your personal information.
- Caution your family and friends against threat actors assuming your identity to defraud them.
- Don’t share OTPs or verification codes with anybody.