Earlier today, TechCrunch has reported that the government-owned State Bank of India (SBI), India’s largest bank and the number four company in the Fortune India 500, left a server unprotected, allowing anyone to access the financial information of millions of customers including partial bank account numbers, phone numbers, balances and recent transactions. The server stored two months of data from SBI Quick, a text message and call-based system used to request basic information about bank accounts by the bank’s customers. The exact number of users that had their data compromised is uncertain, however SBI boasts 500 million customers across the globe and 740 million accounts.
In 2016, massive indian bankls were reported being breached but SBI at that time assured they were safe.
State Bank of India says SBI's systems are absolutely secure and no security breach has happened
— Reuters Asia (@ReutersAsia) October 20, 2016
But not long enough:
In light of the recent news item, regarding an alleged data incident, please find below our statement: pic.twitter.com/mu4xn12QgL
— State Bank of India (@TheOfficialSBI) January 31, 2019
Experts Comments below:
Stephan Chenette, CTO and Co-founder at AttackIQ:
“Operating a server without any access security controls, the State Bank of India (SBI) exposed their customer information allowing real-time access to anyone. Malicious actors could use the information to target bank customers known to have high account balances, or their phone numbers to launch social engineering attacks against the bank’s 500 million customers. All organizations are tasked with the responsibility of protecting user data, but Fortune India 500 companies such as SBI must take additional precautions due to the fact that they are prime targets for data theft and other cybercrimes.
This kind of data leak—which is so easily preventable with even basic security practices—directly undermine customer confidence. Exposure of any type of user information is a major concern. All organizations trusted with sensitive consumer data must continuously assess the viability of their security controls to make sure that they are enabled, configured correctly and operating effectively. It shouldn’t take a massive breach such as this to make companies realize they need a more proactive approach to strengthen security.”
Oliver Muenchow, Security Consultant and Evangelist at Lucy Security:
“There are millions of servers out there exposed right now. The State Bank of India got “officially” hacked. It’s not the first time, and it probably won’t be the last time. Not only is the customer’s data exposed, but also the employees’ accounts and passwords are out there floating around. It’s shocking to see that around 86,000 leaks are currently being traded in the Dark Net for the domain sbi.co.in.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.