The State bank of India, the largest bank of the nation leaked data of millions of its account holders. In the SBI data leak, Information like bank balances and recent transactions were visible online due to the leak.
As per a TechCrunch report, two months of data was stored on a Mumbai based data center. An SMS and call based system was used by customers to query information about their bank accounts. The SBI server was not password protected allowing anyone with an internet connection to access such data if they knew where to find the data.
It is unclear as to how long the server was unprotected but a security researcher found about this and reported it to TechCrunch.
SBI Quick is a service that enables SBI customers to perform various actions with their bank account via SMS, miss calls etc. Customers can then get information like balance, recent transactions on their phone. For people not using a smartphone, this is very useful. The report says that the back-end SMS system was exposed leading to the SBI data leak. Since the server was not password protected, information like phone number, bank balance, recent transactions, and even partial account numbers were exposed.
Speaking to TechCrunch, security researcher Karan Saini said: “The data available could potentially be used to profile and target individuals that are known to have high account balances.”
He added that knowing a phone number “could be used to aid social engineering attacks — which is one the most common attack vector here with regard to financial fraud.”
The report also says that the server has been secured now.