Banks maintain and secure a mass amount of data for their clients and employees. This stewardship should not be taken lightly. This not only includes the customer’s confidential data, but also the client’s confidential financial data. In addition to the statutory issues, there may be civil liability issues. The data and leverage that is a product of a breach have significant value.
India, as with any nation, has banks throughout its borders. India’s largest and highly rated bank, State Bank of India (SBI), recently experienced an issue. SBI had 500M clients across the globe with 740M accounts. They also had an insecure server. This was, thankfully, detected by a security researcher. Anyone could have accessed the server. This might have turned out much differently as the server held the financial data on millions of its clients. This included bank balances and recent bank transactions for two months. This data was from SBI Quick. This is a text message and call-based system. People are able to call in to get their data on their account(s). Each day the service archives the data. Each day contained millions of text messages. The server was based in Mumbai in a data center.
The server contained relatively important data. This should have been secured in some form, however, it was not. The server did not utilize a password. All the potential attackers had to know was the server’s address. If this simple task was done, they would be able to see all the text messages, client phone numbers, bank balances, recent transactions, and partial account numbers. It, unfortunately, is unknown how long the server was not protected. SBI was quick in their response once they were informed and secured the server.
It’s curious why the server was misconfigured in the first place. With this type of data and the direct harm, it could have inflicted, seemingly more care would have been applied to this. Also, it is unknown how long the server was in this state. In theory, this could have been since it was placed online. This builds and adds to the case for a secondary review of the work done. The second set of eyes would definitely have assisted in removing or minimizing the risk.
Beau HD. (2019, January 31). India’s largest ban SBI leaked account data on millions of customers. Retrieved from https://it.slashdot.org/story/19/01/31/0426238/indias-largest-bank-sbi-leaked-account-data-on-millions-of-customers
Kolochenko, I. (2019, Februar 1). India’s largest bank sbi leaked account data on millions of customers. Retrieved from https://www.informationsecuritybuzz.com/
Modupe, B. (2019, January 31). Account data of millions of sbi customers, the largest bank in india leaked. Retrieved from https://www.btcnn.com/general-news/account-data-of-millions-of-sbi-customers-the-largest-bank-in-india-leaked/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!