SBI left banking data of millions of users unprotected online: Report


NATIONAL | January 31, 2019:

On Wednesday, a media report claimed that State Bank of India which is India's largest bank left a server with the banking data of its consumers unprotected.

The reported server is said to have been secured since then, but the existence of an alleged unprotected server raises serious questions about the security practices at the bank, which manages the money of over 42 crore customers across India.

According to a report by TechCrunch, the alleged unprotected server of the State Bank of India was housed in a Mumbai data centre and included two months of data from SBI Quick, a missed call banking service from the company.

SBI Quick is claimed to offer an easy and non-connected way to its consumers to get basic information about their account with the bank. The consumers can ask for their balance, mini statement, request a cheque book, and more.

The SBI server was apparently not protected by a password, thus giving anyone, who knew where to look for, access to the banking data of millions of customers, including their mobile numbers, partial account numbers, account balance, recent transactions and more. TechCrunch says the leak was discovered by a security researcher, who wants to remain anonymous.

The report explains the server essentially housed the back-end system of the SBI Quick service and included millions of messages that were being sent to the consumers in response to their queries. It added that they could allegedly see the text messages being sent in real-time. The website states that it verified the authenticity of the server by asking one India-based security researcher to use the SBI Quick service and within seconds, they reportedly could see the researcher's number as well as the response sent to him on the password-less server.

TechCrunch says the server revealed that the bank sent over three million text messages to the consumers on Monday itself. With two months of such data, a malicious party could do a lot of damage to the unsuspecting State Bank of India consumers.

We have reached out to SBI for a statement on the matter but did not get a response at the time of publication.

Source: NDTV