Mobile payment app BHIM leaked financial data of 7 million Indians

According to researchers, 409 GB worth of BHIM’s customer data was available on a public domain.

A week ago Hackread.com reported how personal and sensitive data of 29 million Indian job seekers was leaked on the dark web. Now, Bharat Interface for Money (BHIM), India’s emerging new e-payments platform, has suffered a massive data breach and sensitive financial data of around 7 million Indians is possibly at risk.

The breach was discovered on April 23, 2020,  but only announced recently.

BHIM is a mobile payment application that was launched in 2016 by the National Payments Corporation of India. The breach was reported by Israel-based cybersecurity firm vpnMentor’s Noam Rotem and Ran Locar. 




The duo revealed that 409 GB worth of data was available on a public domain after the exposure. The leaked information may include personally identifiable information including bank records, Aadhaar card images, residential status and proof, caste certificates, and full profile of BHIM customers. 

Researchers claim that a campaign to invite users and business merchants to sign-up on the app was being carried out via the BHIM website. A portion of the collected data was being stored in a misconfigured Amazon Web Service S3 bucket, and hence, was publicly accessible.

Reportedly, records submitted from February 2019 onwards were stored in the S3 bucket.

BHIM app was primarily developed to encourage cashless transactions in the country and a large number of Indians were using it for money transfers between mobile phone and bank accounts. Naturally, sensitive financial data as part of the information stored by the app. 

Included in the exposed data are the UPI identifiers that the CSC e-Governance associates had uploaded. A CSC e-Governance spokesperson stated that data entries like a merchant’s virtual payment address were kept open to public access so as to ensure transparency of the system but Aadhar card data of the merchants weren’t publicly disclosed.

The UPI payment system is similar to a bank account in many ways. It would be incredibly valuable to hackers, giving them access to vast amounts of information about a person’s finances and bank accounts. This data would make illegally accessing those accounts much easier, researchers warned in their blog post.

Here are some screenshots from the breach:

Therefore, it isn’t possible that Aadhar card data could be exposed to the public. Apart from personal data, the portal’s static pages, pictures, PDF files, e-text, and awareness videos were also made public.

The researchers informed the Computer Emergency Response Team (CERT-In), India’s main cybersecurity agency, about the incident. Rotem claims that the scale of data exposure is extraordinarily large and millions of Indians are currently at risk of fraud, theft, and cyberattacks. 

You may also like...