India’s Largest Bank SBI Leaked Account Data on Millions of Customers
(Jan 30, 2019)
State Bank of India (SBI) suffered a data breach due to a misconfigured server that stored two months-worth of customer financial data from “SBI Quick,” including bank balances and recent transactions. The server was not configured to be protected by a password, thus allowing anyone to be able to access information such as: bank account balances, partial bank account numbers, phone numbers, recent transaction, text messages to customers, and when a check had been cashed. According to the article, SBI Quick permitted:
“SBI’s banking customers to text the bank, or make a call, to retrieve information back by text message about their finances and accounts… the service recognises the customer’s registered phone number and will send back the current amount in that customer’s bank account. The system can also be used to send back the last five transactions, block an ATM card and make inquiries about home or car loans.”
The accessible database allowed anyone to see those messages in real-time. The database was secured following the disclosure of the misconfiguration.
Recommendation: This story depicts the potential dangers that may reside in publicly accessible services. A public service that uses some form of authentication should be required if open source resources are being used. Additionally, databases should not be directly accessible over the internet, and they should require a form of authentication to access. Users affected in this breach could be highly susceptible to social engineering attacks that would allow threat actors to obtain further Personally Identifiable Information (PII) and commit identity and financial fraud.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.