How safe is your data with the SBI, the largest bank in India?
Apparently not very.
According to a TechCrunch report, an unprotected SBI server allows anyone to access sensitive account and financial details of millions of customers of the bank. Information like recent transactions and bank balance are open for all to see. The report claims that the unsecured server, installed in a Mumbai data-center, contains two months of data retrieved from SBI Quick, a call and text message-based system developed for customers for requesting basic information about their SBI bank accounts.
While such sensitive information must always be kept highly secured, the bank had forgotten to password protect the server and the database, which enabled literally anyone to access the information of millions of customers. TechCrunch was unable to determine for how long the server was open for all to see. However, it was open long enough for an anonymous tech researcher to find out about it and inform TechCrunch of the same.
The SBI Quick banking feature allows the bank’s customers to retrieve their financial or account information either by texting the bank or by giving a missed call. The feature, on a whole, is quite useful especially as SBI is the largest bank of India and millions of rural and not-so-tech-savvy individuals have accounts in the bank. SBI Quick is also a reliable way of getting important information if an individual does not own a smartphone or in the absence of an Internet connection on the phone. The feature used a back-end text message system, where millions of text messages sent in by customers and the bank were stored each day.
TechCrunch confirmed that the unsecured database allowed them to see all the confidential text messages sent to customers in real time by the bank, which included the customers’ bank balance, phone number, and recent transaction records. The database also displayed the customers’ partial account number and TechCrunch claims that on Monday, January 28, the SBI sent out 3 million text messages to customers. On digging deeper, it was also discovered that the database contained information going back to December 2018 and anyone accessing the server had an easy view to the account details of millions of SBI’s customers.
Following such blatant disregard for customer security, the database was secured overnight when TechCrunch reached out to the National Critical Information Infrastructure Protection Centre and the SBI with the information of this breach. SBI is yet to comment on this incident at the time of writing.
Banner Image Credit: zeenews.com