advertisement
The State Bank of India has been embroiled in a major controversy after it was discovered that the bank had leaked financial data of millions of its customers.
According to a TechCrunch report, the bank came upon an unprotected server that granted anyone access to financial information on millions of its customers. This included information like bank balances and recent transactions.
The server, which was hosted in a Mumbai-based service centre, stored two months of data from a text-message and call-based service, SBI Quick, which is owned by the bank. The service used to request information about customers’ bank accounts.
What’s shocking is that the bank didn’t have the server protected by a password, which allowed anyone who was looking to access the data of millions of customers a window to snoop around.
There is still ambiguity around how long the server remained unprotected. Yet it was long enough for the flaw to be discovered by a security researcher.
The SBI Quick feature is mostly used by customers who used feature phones. It allows users to text the bank, or make a call, whereby they can retrieve information by text messages about their accounts. This form of communication is ideal for SBI as it majorly caters to consumers who cannot afford smartphones or are unable to operate them. Poor network is another factor this service is pushed.
This service makes it easier for customers when they want to know the status of their last five transactions, block an ATM card and make inquiries about home or car loans.
According to TechCrunch, the back-end message system of this service was exposed which was storing millions of text messages.
The unprotected database gave complete access to the text messages going to customers in real time which included the customer’s phone numbers, bank balances and recent transactions. The database also contained some part of the customer's bank account number. This information could also include when a cheque had been cashed.
It seems that SBI was informed about the issue earlier by a anonymous security researcher which could be the reason TechCrunch quoted an unnamed source who must have feared legal consequences.
What’s ironical is, just a couple of days ago, India's largest banking network SBI had accused UIDAI of mishandling the data of citizens which led to fake Aadhaar ID cards being created. UIDAI denied the report and said there was no security breach of its system.
Currently, there is no information on how much data has been compromised. The bank is yet to comment on the breach.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)