India’s largest bank, State bank of India has been bogged down in a major contention after the bank had exposed financial information of millions of the customers through an unprotected server.
A report from Techcrunch on Wednesday let out that State Bank of India (SBI) failed to seal & secure a key server that was hosting sensitive information of the users in one of its Mumbai installations. This paved a way to the leakage of certain bank details such as bank balance, account number, recent transactions & other key bits of around million users.
The regional Mumbai-based data server is reported to have been storing last two months data from SBI Quick, a SMS & call-based service used for requesting basic information of SBI account by customers of government-owned State Bank of India (SBI).
The issue of SBI database hack was reported by Techcrunch late Wednesday when one of the security researchers happen to trip over one of SBI Mumbai-based data servers. On further examination of this SBI hack, researcher found that he was able to access monetary data of millions of SBI customers without a hitch. He was also able to keep tabs on transaction details in real-time.
It was shocking that the bank didn’t have the server protected by the password, which permitted anyone who was looking for a window to snoop around access to the data of millions of users.
State bank of India data leak contained information like phone number, bank balance & transaction details of the customers. Thankfully, a huge sigh of relief for SBI customers is that the leak has not revealed any sort of authentication information like User ID & password.
However, the incidence of SBI hack was reported to the bank before the report of the leak could be published. Following the report, the bank fixed the issue by securing its server with a password.
It is ambiguous for how long Mumbai-based SBI server was left open & unsecured, but the flaw was long enough to be discovered by a security researcher.
The report of SBI bank data hack noted that the unsecured server was part of SBI Quick service, which is used by most of the customers to text the bank or make a missed call in order to retrieve bank account information by SMS. The service is ideal for millions of SBI customers who are unable to operate & afford smart-phones.
And since the service requires connecting SBI customer’s contact number with the bank account, SBI data breach could have been used by thieves & scammers to swindle money from bank accounts.
The report further reported that after gaining access to unsecured server, the Techcrunch team was able to see SMS going to customers in real-time, including other financial information like phone number, bank balances & recent transactions. The server also exposed an archive of text messages going back to December that were supposed to be sent to SBI users.
An Indian company or bank in news for poor digital security practices is not something new. In year 2016, debit cards of millions of customers issued by several Indian banks, including SBI were compromised. We are also witnessing a growing number of bank fraud cases where Aadhaar data & identity thefts are being used by scammers to compromise bank accounts & steal money.