State Bank of India, India’s biggest bank, was forced to patch a server that was unsecured, providing anyone with access to customers’ data.
According to a report in TechCrunch, the server housed financial information on millions of Bank of India customers including bank balances and recent transactions. The server, which was hosted in a data center from Mumbai, housed two months of data from SBI Quick, which is a messaging system to get information from banking customers, according to the report. It enables State Bank of India customers to text the bank and get information about their finances and bank accounts via text messages. The service is aimed at the millions of customers of the bank that don’t have smartphones or have data services that are limited.
The bank’s back-end text message system, which stores millions of text messages, was reportedly exposed. TechCrunch was able to get into the database — which was not password-protected — and see text messages going to customers in real time. The information it was able to access included phone numbers, bank balances and transactions. In one day alone there were three million texts sent by the Bank of India, the report noted, and the database had archives of the text messages dating back to December. To verify that the data was accurate, the publication had India-based security researcher Karan Saini send a text message to the system. The publication said it was able to see information on Saini within seconds. “The data available could potentially be used to profile and target individuals that are known to have high account balances,” said Saini in a message to the publication.
It’s not clear how long the server had gone unsecured but the report did note a security researcher (who requested anonymity) discovered the data breach, not someone internally. TechCrunch reached out to the State Bank of India and the National Critical Information Infrastructure Protection Centre, and the database was secured.