Business / SBI server leaks bank balance details of Indians

India Today : Feb 01, 2019, 10:53 AM
State Bank of India that left one of its servers open by not putting a password on it. We have heard of data leaks earlier and they happen even with tech giants like Facebook. But in these cases the issues creep up because of unknown bugs or loopholes in software. The State Bank of India (SBI) India’s largest bank though accidentally left the data of millions of SBI customers exposed to the world.

TechCrunch first reported about the issue late Wednesday. The security researcher happened to stumble upon one of SBI’s data servers located in Mumbai. Upon further probe, the researcher was reportedly able to access financial details of millions of the bank’s customers easily. The researcher was also able to track transactional data in real-time. However, before the report was published, the incident was reported to SBI and the bank then did put a password on its mission-critical server.

With 740 million active accounts with the bank, chances are that you might be one of SBI’s customers and it is important to know whether the issue compromised your data privacy. Here’s all you need to know about the SBI data leak in 10 points.

All you need to know about the SBI data leak in 10 points

-- One of State Bank of India’s data servers in Mumbai was found to be accessible to public and vulnerable to data theft and hackers. A security researcher found the data server was not protected by a password or any kind of other security measures. The server was essentially an open book to anyone on the Internet with the right skills to grasp bank data of millions of people. The security researcher then contacted Techcrunch and gave the publication all the details.

-- The researcher was able to access bank account details such as the account balance and other financial details of millions of SBI users. One could access every individual’s data from up to 2 months ago.

-- The security researcher was able to track transaction details in real time. In fact, the media report states the researcher was able to witness 3 million messages on Monday alone.

-- The server was located in Mumbai and was found to be left without a password for an unknown period of time. When the researcher discovered, it wasn’t known as to how long the server was left in that condition.

-- The server stored data related to SBI Quick service. The server contained details of all messages sent to those SBI customers who subscribed for the service.

-- The messages contained account balances, phone numbers and, in some cases, other valuable information regarding an individual.

-- SBI Quick is a new method of digital banking that allows its customers to learn about their bank accounts and other financial details through SMS. Customers need to send commands or missed calls to the service for getting the required information. It is beneficial for those who don’t have smartphones or access to Internet banking.

-- The phone numbers exposed in the leak could actually lead to hackers knowing about the financial details of an individual. It could lead people with malicious intentions to harass people with higher bank balance.

-- Before the leak was reported, State Bank of India was made aware of the issue. The bank reportedly fixed the issue by securing the server.

-- It’s not yet known whether the server’s data has been mined by an external source. Additionally, the data of only those customers are affected who are subscribed to the SBI quick service. If you haven’t opted for the subscription, chances are your data is secure.

Should you worry as an SBI customer?

So should you worry? Yes, a little. The information that the SBI server leaked could be used for identity theft, if not for the direct access to your bank account. No account PINs or passwords were leaked. So, there is no immediate risk to your account. But details like the transactions you did, who got money into their account and when were leaked. And these details can be fine-tuned, filtered and mined to make a profile of SBI customers who can then be targeted by cyber crooks for financial fraud.