#Privacy: Indian mobile payment app suffers data breach

Over seven million users’ sensitive financial details have been exposed online following a data breach

On April 23, researchers at vpnMentor discovered an unsecured Amazon Web Services (AWS) S3 bucket belonging to BHIM, Bharat Interface for Money, an Indian mobile payment app. 

It should be noted that the BHIM website in question was developed by CSC e-Governance Services LTD. 

In a blog post, researchers explained that the misconfigured bucket had been used to promote BHIM usage across India and sign up new merchant businesses, thus containing 409 GB of data. 

Over 7 million records were exposed including highly sensitive data, such as scans of Aadhaar cards, scans of caste certificates, images used as proof of residence, professional certificates, diplomas and degrees and more. 

The bucket also contained massive CSV lists of merchant businesses signed up to BHIM, along with the business owner’s UPI ID number. Additionally, personally identifiable information (PII) was also exposed. Based on their research, the documents also contained the PII data for minors. 

Upon discovery, researchers reached out to the website’s developers to inform them of the misconfiguration, however, after receiving no reply India’s Computer Emergency Response Team (CERT-In) were contacted. 

Nearly three weeks later, researchers contacted CERT-In the second time, and the breach was closed soon after 

“The sheer volume of sensitive, private data exposed, along with UPI IDs, document scans, and more, makes this breach deeply concerning. The exposure of BHIM user data is akin to a hacker gaining access to the entire data infrastructure of a bank, along with millions of its users’ account information,” vpnMentor explained. 

Those affected by the breach are at risk of becoming victims to identity theft and tax fraud.

“Considering the volume of data exposed – over 7 million records – and the overall size of BHIM’s user base, hackers and cybercriminals would only need to successfully defraud and steal from a small percentage of users for a criminal scheme to be profitable and worthwhile.”

Although India may not have strong data privacy laws, both CSC and BHIM could still face an investigation due to the misconfigured S3 bucket.


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.