SBI’s Security Blunder Exposed Sensitive Data Of Millions Of Users: 5 Things You Should Know

Update: After this news picked up steam, SBI had to come out, and assure everyone that no data compromise had happened. In a statement, SBI said, “The matter has been thoroughly investigated immediately after it was brought to the notice of the Bank. SBI would like to assure all its customers that their data is safe and secure and SBI is fully committed to ensuring this.”

Earlier..

In a major security blunder, SBI exposed sensitive data of millions of users. Such is the magnitude of this error, that still, the bank doesn’t even know how much damage has been done.

SBI is India’s largest bank with more than 50 crore customers and more than 74 crore bank accounts.

How did this happen? Which account holders’ data was exposed? Who found this leak?

Here are 5 things you should know..

Who Discovered This Security Breach?

This leak was discovered by security researcher Karan Saini, who had earlier claimed to discover a major security glitch in the Aadhar database. He reported this major security flaw to Tech Crunch, who even verified this data leak. Saini said: “The data available could potentially be used to profile and target individuals that are known to have high account balances,”

What Exactly Happened?

This is what happened: SBI stores customers’ data in servers. One of the servers, located in Mumbai was left without any security and/or password. This meant that anyone with basic coding skills could have entered the server, and stolen millions of datasets, belonging to SBI customers. It is still not known, whether any hacker gained access to this database and stole data or not. However, Karan certainly did, and this is indeed scary.

Which SBI Services Were Affected?

The data which we are talking about here, belongs to a new SBI initiative called SBI Quick. This is a ‘miss-call’ based banking operation, wherein any SBI customer can simply give a miss call to a SBI number, and get basic account information. The service also allows users to send pre-defined SMS to perform basic banking operations. For example, sending BAL to the SBU Quick number will instantly provide the actual balance of the user

What Information May Have Been Exposed?

Now, this is why this data security blunder is scary: In order to perform this mis-call banking and SMS based banking under SBI Quick, the bank needs to store sensitive banking data in the servers. Information such as partial bank account number, bank account holder name, last transaction, recently submitted check details etc were stored in the server, which was left unprotected. As per Tech Crunch, the servers which Karan found without any password had data of last two months, which were meant to be used for SBI Quick operations. Saini said tha phone numbers “could be used to aid social engineering attacks — which is one of the most common attack vectors in the country with regard to financial fraud,”

Was It Reported?

Tech Crunch instantly contacted SBI and India’s National Critical Information Infrastructure Protection Centre, and reported this massive data breach. As per available information, the server has been secured now. SBI has declined to comment on this incident.

We will keep you updated, as we receive more information.