India’s largest bank, SBI has leaked millions of user account information and other sensitive information. A report published on TechCrunch that the SBI forgot to secure a key server hosting that contains sensitive information of its Mumbai installations and that server might have leaked details of millions of bank accounts. The information contains the bank account number, bank balance, and other key bits were leaked.
According to an anonymous security researcher, “the bank had not protected the server with a password, allowing anyone who knew where to look to access the data on millions of customers’ information”.
The unsecured server also contains the information of SBI Quick service. The bank explains on its website, “SBI Quick – MISSED CALL BANKING is a free service from the Bank wherein you can get your Account Balance, Mini Statement and more just by giving a Missed Call or sending an SMS with pre-defined keywords to pre-defined mobile numbers from your registered mobile number. Please ensure that your mobile number is updated in your account to be able to register for this service.”
The Techcrunch team was able to see and send “text messages going to customers in real-time, including their phone numbers, bank balances, and recent transactions The bank sent out close to three million text messages on Monday alone.”
TechCrunch reported to SBI and India’s National Critical Information Infrastructure Protection Centre, which receives the vulnerability reports for the banking sector. Surprisingly, the database was secured overnight.
It is not clear for how long the server was left unsecured. SBI did not reply any comment on the matter.