Security Experts:

State Bank of India Leaves Millions of Customer Messages Exposed

The State Bank of India is the latest large organization to leave a database full of personal information exposed and accessible on the internet.

While active hacking has led to many major data breaches, there have also been many examples of large-scale databases of personal information simply left exposed on the internet. Exactis (340 million records), an unspecified Brazilian database (120 million Brazilian residents), and the Georgia election database (6.7 million Georgia voters) are just a few examples.

Now the State Bank of India – the largest bank in India, ranked fourth in the Indian Fortune 500 – has done similar. An anonymous security researcher discovered and reported that a server belonging to the bank's Quick service – a mobile-based quick information service – had no password protection. Anyone who knew where the database was located could gain access to the plaintext information it contained.

SBI describes Quick as "a free service from the Bank where in you can get your Account Balance, Mini Statement and more just by giving a Missed Call or sending an SMS with pre-defined keywords to pre-defined mobile numbers from your registered mobile number."

Tests showed that the database of these calls provided access to many millions of text messages between the bank and its customers. There were three million messages on Monday alone, while the database contains stored archives going back to December. Information includes the customer's phone number, partial bank account number, bank balance and records of transactions.

The access vulnerability was fixed within hours of it being reported. But with no public statement from the bank, it is impossible to know how long it existed, nor whether any malicious actors gained access to it.

Stephan Chenette, the CTO and co-founder of AttackIQ, commented, "Malicious actors could use the information to target bank customers known to have high account balances, or their phone numbers to launch social engineering attacks against the bank's 500 million customers... All organizations trusted with sensitive consumer data must continuously assess the viability of their security controls to make sure that they are enabled, configured correctly and operating effectively. It shouldn't take a massive breach such as this to make companies realize they need a more proactive approach to strengthen security."

In terms of risk to customers, this operational flaw should be seen in context with the Aadhaar breach (India's national identity database). Aadhaar is managed by the Unique Identification Authority of India (UIDAI). UIDAI always has and still does deny any breach. Its website says, "Aadhaar database has never been breached during the last 7 years of its existence. Data of all Aadhaar holders is safe and secure. Stories around Aadhaar data breach are mostly cases of mis-reporting."

Nevertheless, this year's World Economic Forum Global Risks Report says that of all 2018 breaches, "The largest was in India, where the government ID database, Aadhaar, reportedly suffered multiple breaches that potentially compromised the records of all 1.1 billion registered citizens. It was reported in January that criminals were selling access to the database at a rate of 500 rupees for 10 minutes..."

Any potential combination of bank details and ID details could give criminals a huge advantage in targeted phishing and identity theft.

Ilia Kolochenko, CEO at High-Tech Bridge, fears that SBI might merely be the first of such banking flaws discovered. "I think virtually any large financial organization may face a similar incident," he told SecurityWeek in an emailed comment. "Modern IT infrastructures are so complicated that virtually no single company has an up-to-date and holistic inventory of their digital assets, let alone continuous monitoring and related security processes. And data sharing with trusted third-parties makes privacy and data protection virtually impossible."

Oliver Muenchow, security consultant and evangelist at Lucy Security, added, "There are millions of servers out there exposed right now...Not only is the customer's data exposed, but also the employees' accounts and passwords are out there floating around. It's shocking to see that around 86,000 leaks are currently being traded in the Dark Net for the domain sbi.co.in."

It is a good sign that SBI fixed the flaw so quickly – but it remains a worrying habit for Indian firms to deny or ignore breaches. It does, however, excuse them from any need to offer free ID theft monitoring to any potential victims.

Related: Post Breach Identity Theft Monitoring: Too Little Too Late 

Related: Data Stolen in OPM Breach Used in Loan Fraud Scheme

Related: Identity Fraud Cost U.S. Consumers $16 billion in 2014 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.