These are treacherous times. Data breaches and leaks are getting reported by the day, and despite all efforts, even the world’s biggest tech companies are unable to contain multiple breaches that have occurred so far. But you’d expect a financial institution, as big as SBI (the largest bank in the world’s third largest economy by PPP), to make sure their digital infrastructure is secured. Apparently it is not. According to a recent report from TechCrunch, State Bank of India, which is the leading public sector bank in India, allowed access to financial information on millions of its customers, including bank balances and recent transactions. Thankfully, no account PINs or passwords were leaked.
This was possible because the bank didn’t put a password on the server. Yeah. That was as plain and simple as it can get. Without a password, the server was essentially an open book to anyone on the Internet with the right skills to grasp bank data of millions of people, if they knew where to look into.
A security researcher stumbled upon one of SBI’s data servers located in Mumbai. Upon further probe, the said researcher was reportedly able to access financial details of millions of the bank’s customers easily. The researcher was also able to track transactional data in real-time.
However, its noteworthy that before the report was published, the incident was reported to SBI and the bank then did put a password on its mission-critical server. The said server is hosted in a regional Mumbai-based data center, stored two months of data from SBI Quick, a text message and call-based system used to request basic information about their bank accounts by customers of the government-owned State Bank of India (SBI).
The server stored data related to SBI Quick service. The server contained details of all messages sent to those SBI customers who subscribed for the service, which contained account balances, phone numbers and, in some cases, other valuable information regarding an individual.
TechCrunch reports that the database had daily archives of millions of text messages, going back to December, allowing anyone to access a detailed view into millions of customers’ finances. It also verified the data by asking security researcher Karan Saini to send a text message to the system and within seconds, they found his phone number in the database, including the text message he received back.
For those who are unaware, SBI Quick is a digital banking platform that allows customers to learn about their bank accounts and other financial details through SMS. Customers need to send commands or missed calls to the service for getting the required information and is aimed at those who don’t have smartphones or access to Internet banking.