SBI leak exposes account data of millions of customers: Report

Public sector lender the State Bank of India has secured a leak that exposed account data of millions of customers, a news report stated. The leak allowed anyone access to financial information like bank balances and recent transactions, technology news website TechCrunch reported.

According to the report, the unprotected server, hosted in a regional Mumbai-based data centre, stored two months of data from SBI Quick, a text message and call-based system for customers to request basic information about their bank accounts.

A security researcher told TechCrunch on condition of anonymity that SBI had not set a password for the server, thus allowing access. It is not clear how long the leak stayed open, the publication said. It was the back end text message system that was exposed, which stores millions of text messages each day, TechCrunch said. The publication could also access customers’s mobile numbers and account details.

SBI has not responded to email queries sent by TechCircle at the time of publishing this report.

SBI Quick is a free missed call or an SMS-based service through which its customers can get information on past transactions, account balance, blocking cards and loan features among other things by sending an SMS or giving a missed call from their registered mobile number which is linked to their bank accounts.

As digital transactions continue to gain traction in India, such unprotected servers pose a great risk of financial fraud for customers. For instance, digital transactions made on the Unified Payments Interface increased 15 times to 450 million for September 2018, from 30 million a year earlier.

Early this month, the country’s central bank said that there was a 50% jump in the number of cyber frauds in the banking sector over the past year while the amount of money lost has more than doubled during the same period.

Considering the explosive growth of the internet and mobile banking and the penetration of Immediate Payment Service (IMPS) and UPI over the last four years, the number of fraud incidents have not increased as much.

Among the prominent fraud cases in 2018, Mauritius banking group SBM Holdings said in October that its Indian operations had suffered a cyber fraud that had resulted in a potential loss of up to $14 million https://www.techcircle.in/2018/10/03/cyber-fraud-indian-unit-of-mauritius-bank-sbm-loses-14-mn.

A couple of months before that, in one of the biggest cyber banking frauds of the country, criminals hacked the systems of India's Cosmos Bank and siphoned off nearly $13.5 million through simultaneous withdrawals across 28 countries.

After the incident, the National Payments Corporation of India (NPCI) had issued an advisory note asking banks to take a series of measures to protect themselves against fraud.