SBI data leaked through unprotected server, millions of customers affected, report says
New Delhi: Just couple of days after the State Bank of India informed the Unique Identification Authority of India about the mishandling of the Aadhaar data, a report has revealed that the largest Indian bank has unintentionally leaked account details of millions of its customers through an unprotected server.
A report published by TechCrunch has revealed that the unprotected server, hosted in a Mumbai-based data centre, stored two months of data from SBI Quick, a text- and call-based system that customers used to request basic information about their bank accounts. The server, which wasn’t protected by passwords, was allowing access to data of customer’s account and their recent transactions to anyone who knew where to look for the information.
A security researcher (named not revealed) has informed TechCrunch about the leak.
While talking about the risks involved in the leaked information, the report quoted Karan Saini, a security researcher, as saying: “The data available could potentially be used to profile and target individuals that are known to have high account balances. A phone number could be used to aid social engineering attacks — which is one of the most common attack vectors in the country with regard to financial fraud.”
TechChruch has informed the SBI and National Critical Information Infrastructure Protection Centre of India and the bank has taken immediate action to secure the database.
The SBI Quick is a text-message service that allows customer to text the bank to receive the information on their mobile about their finances and account balance within seconds. The system also provides the customers the last five transactions of their account, accepts requests to block customers’ ATM cards. Customers can also make queries about loans through the service.
The passwordless server had exposed text messages sent to millions of SBI customers with a range of information, including their bank balances, phone numbers, and recent transactions. However, it is not clear yet if one or more than one person or group has been able to milk the data.
Leave Your Response