SBI Investigates Reported Massive Data LeakReport: India's Largest Bank Had Database That Lacked Password Protection
The State Bank of India, the nation's largest bank, is investigating an apparent data leak that reportedly exposed information on millions of its customers.
The government-owned bank, which has 740 million active accounts, neglected to password-protect one of its servers based in a Mumbai data center, enabling easy access to customer data, TechCrunch reports. The exposed data contains partial account numbers, balances, transaction details and much more, according to the news report.
The server has since been secured, TechCrunch reports. But it's not yet clear whether the server's data was mined by an external source.
Y.V. Ramana Murthy, SBI's general manager and group CISO, tells Information Security Media Group: "We maintain proper security protection in our environment and protect our customer data properly. I do not see a cause of concern."
The CISO adds: "An investigation has been ordered, and I will communicate to you when we come to a conclusion. Right now, the entire team is looking into the matter. We take such issues seriously as customer trust is important to us."
Server Management Issues
Too often, banks in India do not conduct proper server management, says Prashant Pandey, a Noida-based security researcher. "Banks in India conduct audits in areas where the RBI has made it compulsory. The other areas are usually ignored," he says.
"Poor configuration by server administrators is to be blamed here," says P. Bala, chief technology officer at Arctos Networks, a software company based in Bengaluru. "Services that are exposed to public access should be configured properly and verified periodically for vulnerabilities and fixed immediately."
The SBI incident highlights that banks must not take a checklist approach to security and must avoid relying only on audits to get assurance about their security measures, other security experts say.
"Audits are not designed to be continuous. In the intermediate period, any new malware or vulnerabilities may creep in that could weaken the system," says Prasanna Bharatan, global head of assurance and risk management at Wockhardt, a global pharmaceutical and biotechnology company based in Mumbai. "The management has to invest in more robust technologies and have stronger policies and awareness programs."
Other important steps banks can take to avoid data leaks, security experts say, include having white hat hackers conduct mock hacks on a regular basis and ensuring they use proper password management.
TechCrunch reports that hackers attacked the back end of the bank's SBI Quick system to gain information regarding its customers.
SBI Quick is a text message and call-based system that customers can use to request basic information about their bank accounts. It's designed for the millions of customers who don't use smartphones or have limited data service.
By using predefined keywords, the service recognizes the customer's registered phone number and sends back the requested information.
"The passwordless database allowed us to see all of the text messages going to customers in real time, including their phone numbers, bank balances and recent transactions," a researcher who discovered the vulnerability, and asked not to be identified, told TechCrunch.
With the server lacking password protection, it could have been easy for a hacker to access the SBI database, Pandey says. "All he needed was to get ahold of the IP address, which might have been done by following the trail of text messages," he says. "Post this, it was an easy entry for hackers."
A hacker could potentially then use bank customer information obtained to develop a profile to use in committing fraud.
Using Qualified Auditors
J. Prasanna, director at the Singapore-based Cyber Security and Privacy Foundation, questions whether the auditors appointed to check on SBI's servers were well-qualified.
"I have always questioned the qualifications of CERT-In empanelled auditors. Government websites keep getting defaced or hacked. None of these auditors are ever blamed," he says.
"A degree or a certification doesn't make you a good cybersecurity auditor. Often in government, people are given a job based on their age rather than their competitiveness."
Managing Editor Geetha Nandikotkur contributed to this story.