Data Breach of CSC Website Exposed Data of Over 7 Million BHIM Users

TechLatest is supported by readers. We may earn a commission for purchases using our links. Learn more.

Popular UPI Payments App BHIM is recently in trouble as a data breach of CSC Website exposed data of over 7 million BHIM users including many financial and personal details of users.


Data Breach of CSC Website Exposed Data of Over 7 Million BHIM Users

So what happened is, BHIM app stores users data on a website, and that website was stored in a misconfigured cloud storage server. So there was no proper security protocol that could prevent hackers from breaching the server. This whole incident is reported by vpnMentor which is a cybersecurity firm based in Israel.

Now the caretaker and developer of the official BHIM website where the sensitive data is kept is apparently Common Services Center(CSC) e-Governance Services LTD and it is also partly managed by the Indian Government.

“It appears CSC established the website connected to the misconfigured S3 Bucket to promote BHIM usage across India and sign up new merchant businesses, such as mechanics, farmers, service providers, and store owners onto the app. It’s difficult to say precisely, but the S3 bucket seemed to contain records from a short period: February 2019. However, even within such a short timeframe, over 7 million records had been uploaded and exposed” said vpnMentor.

data breach of CSC website exposed data of over 7 million BHIM users

The data breach of CSC website exposed data of over 7 million BHIM users and this exposed data is around 409GB in size and it contains sensitive information like Scans of Aadhaar Card with the number, name, gender, DOB, PAN Number, UPI IDs, scanned copies of religious and caste certificates, photos of users along with residential address, professional degrees and certificates, screenshots of financial and banking apps, scans of fingerprint impressions. Isn’t that crazy and very bad that many Indians had their sensitive data leaked?

This whole vulnerability with the website was first detected on April 23rd April and vpnMentor apparently approached to Computer Emergency and Response Team(CERT-In) on April 28. The CERT responded to the complaints on the following day and it is said that the loopholes in the website security were taken out on May 22.

Noam Rotem and Ran Locar, the cybersecurity researchers who discovered the data leak, said: “The sheer volume of sensitive, private data exposed, along with UPI IDs, document scans, and more, makes this breach deeply concerning. The exposure of BHIM user data is akin to a hacker gaining access to the entire data infrastructure of a bank, along with millions of its users’ account information.”

“The scale of the exposed data is extraordinary, affecting millions of people all over India and exposing them to potentially devastating fraud, theft, and attack from hackers and cyber criminals,” the cybersecurity firm said in a statement.

This is what NPCI(National Payments Cooperation of India) said about the data breach of CSC website exposed data of over 7 million BHIM users, “We have come across some news reports which suggest data breach at BHIM App. We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations. NPCI follows high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem”


So far there have been no cases of misuse of the leaked data of users but users are warned not to share any OTP, nor respond to any calls or emails that seek your bank account details and we suggest you do the same. It is always better to keep yourself safe but it is just crazy that even if you follow all safety protocols, your data is still at risk and that is just very sad.

Source | Via

Read More About

Xiaomi’s New Mi Notebook Heading to India on June 11


Internet Safety: How To Browse Internet Responsibly And Safely

Leave a Comment
Related Topics
Notify of
Inline Feedbacks
View all comments