India’s largest bank, the State Bank of India (SBI) simply forgot to protect its server with password, risking theft of personal data of several million account holders. The US-based
The bank data in question was purportedly from SBI’s data centre in Mumbai and was, according to TechCrunch, related to its service called SBI Quick, where bank’s customers can send SMS or give a missed call to know the balance in their account and/or details of the last five transactions.
The SBI server was apparently not protected by a password, thus giving anyone, who knew where to look for, access to the banking data of millions of customers, including their mobile numbers, partial account numbers, account balance, recent transactions and more.
The TechCrunch report says that the server essentially housed the back-end data of the SBI Quick service and included millions of messages that were being sent to the consumers in response to their queries. It added that they could allegedly see the text messages being sent in real-time. The website states that it verified the authenticity of the server by asking one India-based security researcher to use the SBI Quick service and within seconds they could reportedly see the researcher’s number as well as the response sent to him on the password-less server.
The cyber security expert, who did not want to be named, alleged, “If indeed hackers knew about this security breach and they mopped up the data from SBI’s server, they could use it to target high net worth individuals.” SBI has around 50 crore customers with 74 crore accounts across the world. Interestingly, SBI had accused Unique Indemnity Authority of India (UDAI) of mishandling of Aadhar data for generation of fake Aadhar cards. The phone call to SBI spokesperson remained unanswered until going to press.