Security & Fraud

India’s BHIM Payments Site May Have Exposed 7 Million Users’ Data


India’s BHIM payment app has reportedly accidentally exposed the personal data of 7 million users, including addresses, scans of Aadhar IDs and caste certificates, according to cybersecurity company VPNMentor.

The 409 GB database, according to VPN, was stored in a misconfigured AWS S3 bucket, which caused it to become available to the public.

The data belonged to BHIM’s website, which is primarily used for onboarding new users.

The breach was uncovered by VPNMentor’s research team on April 23, and it notified India’s Computer Emergency Response Team (CERT-In) on April 28. The breach was closed April 28 when VPN made contact with CERT-In the second time.

The database mostly was full of the documents needed to onboard a bank, including Aadhar IDs, caste certificates, proof of residence, Permanent Account Number (PAN) cards and screenshots of fund transfers for proof, according to VPN. That kind of data can potentially be used to extract money or personal information from users, although news sources did not have specific information if that had happened. The records dated back to February of 2019.

The data is such that hackers could also utilize some of it, like Unified Payments Interface (UPI) ID, to access data from minors.

BHIM is based on the UPI platform by the National Payments Corporation of India. Other services utilizing UPI include Google Pay, PhonePe, WhatsApp and Paytm.

Cyberattacks have become ubiquitous in the digital age, with companies as varied as Wawa, Wyze Labs, T-Mobile and Landry’s Inc all reporting data breaches around the beginning of 2020.

And now, halfway through the year and amid a global pandemic, phishing attacks are continuing to roll in, taking advantage of the frenzied and weakened state of the world due to the global shutdowns and economic turmoil.

The damage has been widespread: 100 percent of law firms surveyed had been the target of cyberattacks, resulting in 15 percent of them losing clients. There were 1,755 warnings sent out by Google to users targeted by phishing attacks, and a recent iomart analysis finds that small businesses stand to lose $555 billion as a result of such attacks.



Digital transformation has been forcefully accelerated, but how does that agility translate into the fight against COVID-era attacks and sophisticated identity threats? As millions embrace online everything, preserving digital trust now falls mostly on banks and FIs. Now, advances in identity data and using different weights on the payment mix afford new opportunities to arm organizations and their customers against cyberthreats. From the latest in machine learning for fraud and risk, to corporate treasury teams working in new ways with new datasets, learn from experts how digital identity, together with advances like real-time payments, combine to engender trust and enrich relationships.