State Bank of (SBI), one of the largest bank in India, left millions of its customer’s financial data exposed for anyone to a look into, according to a TechCrunch report.
The Mumbai-based server, which has been secured now, stored over two months of user data including bank balances, transaction history, and more.
The report states that the data was drawn from “SBI Quick” — one of the bank’s free service which allows customers view their account balance, transaction statements and more by sending SMS’s on pre-defined keywords.
For example, to request their balance inquiry, one can use the service to message “BAL” to a specific number. In response, the server would show the total account balance of the bank account associated with the number.
Owing to the insecure database, the TechCrunch team was able to see text messages going to customers through the server in real time. The data included their phone numbers, bank balances, and recent transactions.
To further verify whether the database was actually hosting SBI customers data — the team asked India-based security researcher Karan Saini to send a text message through the SBI Quick feature.
And within a few seconds, his phone number along with the text message he received was spotted by the team.
It is unclear how long the hosting server was unprotected without any password, but any tech-savvy person who knows where to look could access data of millions of bank account holders of the government-owned State Bank of India.
This is probably one of the biggest data leaks of Indian citizens after the Aadhaar data leak — where over 1.2 billion users data was exposed, back in early 2018.