SBI Leaks Account Data of Millions Because it Forgot to Password-Protect a Server
India’s largest bank, SBI reportedly left account data of millions of Indians open for unauthorized access. The government-owned corporation seems to have committed a critical oversight as it forgot to password-protect a regional Mumbai-based datacenter. Therefore, anyone who knew where to look for it was able to access details such as balances, recent transactions of an astonishingly large number of people for an unknown period of time.
The server in question is responsible for hosting two months of data from SBI Quick, an SMS and call-based service which allowed anyone to request their account data like the last five transactions by sending a customized text. For instance, users can type in BAL from the registered phone number for retrieving their account’s balance.
The service is primarily designed for customers who still don’t own a smartphone and sends out millions of text messages every day. In addition to housing the most recently dispatched information, the server also retained daily archives of about a month.
In an interview with TechCrunch, security researcher, Karan Saini said: “The data available could potentially be used to profile and target individuals that are known to have high account balances.” He further added that having access to phone numbers “could be used to aid social engineering attacks — which is one the most common attack vector here with regard to financial fraud.”
The database, however, didn’t reveal account passwords or numbers. But unfortunately, since it’s a phone-based service, anyone with access was able to view customers’ phone numbers, bank balances, and a few digits of the associated account number. It is currently not known for how long the server remained unsealed.
Moreover, SBI has yet to verify the accident, neither has it offered a comment. Plus, we’re also not sure about how an incident such as this can happen. Unless it’s a new server (to which some past data was migrated to) or someone with administrative rights deliberately removed the authentication, the case is quite baffling even for a government-owned corporation.
Ironically, a couple of days back, SBI — yes, SBI — called out another government-owned agency, UIDAI for mishandling personal data which itself led to fraudsters to generate fake identity cards.