State Bank of India’s customers exposed in data leakage
Customers of State Bank of India were left vulnerable after an unprotected server allowed anyone to access financial information.
It’s not known how long the server was open, but long enough for it to be discovered by an anonymous security researcher, who could only tell TechCrunch about the leak.
India’s largest bank has now secured the server, which was hosted in a regional Mumbai-based data centre. SBI has more than 500 million customers across the globe with 740 million accounts.
TechCrunch explains that two months of data was stored from SBI Quick, a text message and call-based system used to request basic information about the bank accounts.
But the bank had not protected the server with a password, allowing anyone who knew where to look to access the data on millions of customers’ information.
It was the back-end text message system that was exposed, TechCrunch confirmed. It revealed a redacted example of some of the banking and credit information found in the database.
To put this into context, the bank sent out nearly three million text messages on one day alone. The database also had daily archives giving a detailed insight into customers’ finances.
One implication from such data becoming available is related to a customer’s phone number. This could be used in a social engineering attack.
Such an attack is used to manipulate the emotions, i.e. a person gets curious or worried, and lure the victim into revealing confidential information.
SBI did not respond to TechCrunch’s requests for comments.