If the recent reports are to be believed then data of around 70 lakh BHIM UPI users are exposed. Israeli cybersecurity company vpnMentor, said 409GB of data of users in India have been exposed. This includes sensitive personal data like Aadhaar cards, caste certificates, proof of residence, and other personal details.
As per the Israeli firm a campaign website was being used to sign users and businesses to the app and data thus acquired was being stored on a publicly accessible misconfigured Amazon Web Services S3 bucket.
“Our researchers use port scanning to examine particular IP blocks and test different systems for weaknesses or vulnerabilities. They examine each weakness for any data being exposed. Our team was able to access this S3 bucket because it was completely unsecured and unencrypted”, said the firm in its blogs. Following data of users is said to be exposed:
- Scans of Aadhaar cards – India’s national ID
- Scans of Caste certificates
- Photos used as proof of residence
- Professional certificates, degrees, and diplomas
- Screenshots within financial and banking apps as proof of fund transfers
- Permanent Account Number (PAN) cards
- UPI VPAs (transaction IDs)
The firm reached out on the matter to India’s Computer Emergency Response Team (CERT-In) on 28th April. The problem was reportedly rectified on May 22, however, no update is provided from the side of government.