[Security Weekly] Indian Payment App BHIM Leaks Financial Information of 7 Million Users

1st Week of June 2020


1. Indian payment app BHIM exposes sensitive financial information of 7 million people

Launched by the National Payments Corporation of India (NPCI), the Bharat Interface for Money (BHIM) is a popular mobile payment app in India that has been downloaded for more than 136 million times as of 2020. The app enables users to make direct payments to others by entering their ID, or scanning their QR code with the app.

In April this year, security experts at vpnMentor discovered over 409 GB of publicly accessible data on a misconfigured Amazon Web Services (AWS) S3 bucket managed by NPCI. The data included sensitive personal and financial information of all users who registered a BHIM account since February 2019.

Affecting more than 7 million users across India, the exposed data contained all information required for account registration, including scans of national ID cards, caste certificates, income tax information, documents for proof of employment and education, photos for proof of residence, and screenshots for proof of transactions. This information could be exploited by cybercriminals for fraud and theft at a massive scale

After the incident was reported, NPCI reconfigured the settings of the AWS S3 database to private. No official response by the company has been made.

Sources: InfosecurityThe Week


2. US nuclear missile contractor attacked by Maze ransomware, classified information likely compromised

In early June, US defense subcontractor Westech International disclosed to Sky News about suffering a ransomware attack on its IT system. 

Westech International provides critical technical, logistical, and operational support services for LGM-30 Minuteman III, a three-stage intercontinental ballistic missile (ICBM) designed for nuclear weapons delivery. Manufactured by Northrop Grumman, it is currently the only land-based ICBM in service in the United States, acting as the land arm of the nuclear triad.

The Russian-speaking threat actors appeared to have used the Maze ransomware to exfiltrate data from Westech’s computers before encrypting them. They then published a portion of the stolen data online before threatening Westech to release the rest unless a ransom is paid.

The portion of data published online already contains extremely sensitive information such as emails and payroll information. From looking at these data, it is likely that military-related classified information might have been compromised.

However, experts worry that even if Westech pays the demanded ransom, there is no guarantee that the attackers would dispose of the data. What’s more concerning is that these data could be sold to hostile states and terrorist groups.

Source: Sky News


3. Google faces class-action lawsuit for tracking user activities under private browsing mode

On June 2, a class-action lawsuit was filed to the United States District Court for the Northern District of California accusing Google for tracking browsing activities even under private mode.

Most browsers offer private browsing features for those who do not want to leave browsing history or generate cookies. These include Google Chrome’s Incognito mode and Microsoft Edge’s InPrivate browsing. 

According to the case filed, even when a user browses in private mode, their personal data and browsing activities would still be collected by Google whenever they visit a website that runs Google Analytics or Google Ads. Indeed, more than two-thirds of all websites use at least one of these services.

Data collected include the user’s IP address, viewed pages and ads, previously viewed pages, session time, and device details. The plaintiff is requesting $5,000 in compensation per user, or three times the actual damage, whichever is greater. Similar complaints and accusations arose in the United Kingdom and Australia.

However, it is still too early to say whether Google would be held responsible. This is because contrary to popular belief, private browsing only disables the browser from recording user activities, but does not disable websites, plugins, and web applications from doing so. 

For instance, Google Chrome’s Incognito mode clearly indicates that a user’s activity would still be visible to the websites they visit, to their employer or school, or to their internet service provider.

Source: Forbes


4. CPA Canada hit by cyberattack, personal details of 330,000 accountants exposed

On June 4, Chartered Professional Accounts of Canada (CPA Canada) publicly disclosed a cybersecurity incident that compromised sensitive personal information of nearly 330,000 members.

One of the largest national accounting bodies in the world, CPA Canada is a unified association of all certified accountants in Canada, including Chartered Accountants (CAs), Certified Management Accountants (CMAs), and Certified General Accountants (CGAs).

Back on April 24, CPA Canada sent out an alert about an extensive phishing campaign targeting its members. This data breach, although unsure of the exact date, was apparently discovered following the previous incident, suggesting that the intrusion was likely the result of a phishing attack.

Stolen data included the names, addresses, email addresses, and employer names of nearly all certified accounts in Canada. Even though account passwords and credit card details were also compromised, these data were safely encrypted.

By the time of the announcement, all the compromised systems were secured, and that all members affected were notified. CPA Canada urged all members to stay on high alert as it is highly likely that the attackers would use the stolen information to launch further phishing attacks targeting them, their employers, and their families and friends.

Sources: Global NewsBleeping Computer


5. San Francisco retirement plan leaks personal data of 74,000 members

San Francisco Employees’ Retirement System (SFERS), an organization offering pension plans and retirement services to the city’s employees, disclosed a data breach in early June that compromised the personal information of 74,000 of its members.

According to its statement, on February 24, an unauthorized party hacked into a database located in a test server set up by a vendor. The data breach was not discovered until March 21, after which the vendor immediately shut down the server.

Compromised data included personally identifiable information such as name, address, date of birth, and beneficiary information. Affected people are advised to take extra caution on potential phishing activities.

Based on this incident, security experts are warning that real data should never be stored in a testing server that lacks proper security measures. Instead, non-sensitive data such as dummy data should be used for testing.

Sources: SC MediaSiliconAngle


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Web Application Firewall for Cloud: WAPPLES SA

Database Encryption: D’Amo

Authentication: ISign+ 

Smart Car Security: AutoCrypt