Government trashes claims of BHIM payments app data breach staring 7 Million user data at risk


Indian Government denies the BHIM data breach claims that included 7 million Indian users records

BHIM (Bharat Interface for Money) is an Indian mobile payment app developed by the National Payments Corporation of India (NPCI), based on the Unified Payments Interface (UPI). The app supports all Indian banks which use UPI, which is built over the Immediate Payment Service (IMPS) infrastructure and allows the user to instantly transfer money between bank accounts of any two parties. It can be used on all mobile devices.

Recently an Israeli cybersecurity firm vpnMentor claims to have discovered a data breach of personal records of around 7 million Indians used to onboard them to the mobile payment app BHIM. As per the report, the data was stored on a misconfigured Amazon Web Services S3 bucket and was publicly accessible. According to the vpnMentor, the breach was first discovered on April 23, 2020, and seem to have contained records from February 2019.

We have come across some news reports which suggest data breach at BHIM App. We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations. NPCI follows high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem.

said the National Payments Corporation of India (NPCI) in a statement

According to the reports the data leaked from the BHIM app claimed by vpnMentor consists of scans of Aadhaar cards and caste certificates, photos used as proof of residence, professional certificates and degrees, screenshots taken within financial and banking apps as proof of fund transfers, as well as scans of PAN cards.

The attempts by various parties in India to deny our findings are sad. The fact remains that PII [personal identifiable information]data of millions of Indian citizens was left unprotected on a public bucket named after CSC BHIM, and instead of looking into the faults that lead to this breach and make sure they won’t happen again, we are faced with ridiculous claims it never happened

We managed to confirmed CSC BHIM as the owner of the bucket in our research. The csc-bhim site ( mentions NPCI and Punjab national bank as their partners. The site features photos from BHIM drives in various parts of India, under the BHIM logo. The site itself bears the BHIM logo, as well as that of the Indian ministry of electronics and information

vpnMentor said

The claimed data leak includes sensitive financial data in the hands of criminal hackers would make it easy to trick, defraud, and steal from the people exposed. vpnMentor claimed that the data was stored on a misconfigured AWS S3 bucket. The Amazon Web Services’ (AWS) Simple Storage Service (S3) is a public cloud storage resource.

vpnMentor lastly said that they are confused about the breach as the CSC claim goes against the evidence they have. As it does not support any misleading issue they have shared the leak information to the Indian authorities. It is yet unclear that whose data has been stolen and is the leak claim true? However, the government has denied the claim and said that no data is been affected by any of the breaches.

To stay updated on Tech and cybersecurity news subscribe to our newsletter from here


About Author

Be Ready for the challenge

Notify of
Inline Feedbacks
View all comments