Data of over 7 million BHIM users exposed in CSC website Breach

CSC BHIM app data breach exposed payment, personal details of over 7 million indians.

Leaked data exposed BHIM app user's Aadhar numbers with name, gender, date of birth, PAN's, religion and caste certificates many more....

Popular digital wallet BHIM website suffered from a data breach exposing more than 7 million indians financial and personal details.

Apparently the user data of the BHIM app website was stored in a misconfigured cloud storage server -- Amazon Web Services S3 bucket. There was no security protocol in place to prevent hackers from breaching the server, reported vpnMentor, an israel-based cybersecurity firm.

The company responsible for the development of official BHIM website and the care taker of sensitive data is understood to be the Common Services Center (CSC) e-governance service LTD and also partly managed by the Indian government.

            It appears that CSC established the website connected to the misconfigured S3 bucket to promote BHIM usage accross india and sign up new merchant businesses and such as mechanics, farmers, service providers, and store owners onto the app.  It's difficult to say precisely, but S3 bucket seemed to contains records from a short period: February 2019. 

The exposed user data understood to be around 409GB in size contains sensitive information such as -- scans of the  Aadhar card with the number, gender, date of birth, PAN card details, UPI ID's, scanned copies of caste certificates, users pictures along with residential details, and scans of finger print impressions etc.,  

      

            So, far there are no official reports of misuse of BHIM UPI app users financial data as such, but the consumers are warned not to share OTP's nor respond to calls or e-mails from anybody seeking bank account number or any financial details.