- An server belonging State Bank of India was discovered unprotected and left open for anyone to access
- The database contains financial details of millions of customers.
- The server contains data from SBI Quick service
- Researchers notified SBI about the server and was secured immediately.
Security researchers discovered an unprotected server belonging India’s largest bank State Bank of India publicly exposed for anyone to access.
State Bank of India is a government-owned bank and the server exposed contains financial details of millions of customers.
The data breach was reported to Techcrunch by a security researcher who refused to disclose his name and contains data from SBI Quick.
“The bank had not protected the server with a password, allowing anyone who knew where to look to access the data on millions of customers’ information.”
SBI Quick is a text message and call-based system used by customers to request basic information about their bank accounts.
Customers can retrieve information such as current balance, last five transactions using SBI Quick by sending a message or making a missed call.
According to the analysis by Techcrunch, it was the back end text message system which was exposed.
The researchers were also able to see all of the text messages going to customers in real time by accessing the database.
The database contains details such as customers phone number, account balance , recent transactions and partial account number.
The database also contains daily archives of millions of text messages from December. It is still unclear how long the database was left unprotected.
Researchers said they verified the data with the help security researcher Karan Saini by sending a text message to the system. The phone number was found in the database including the text message he received.
According to Karan Saini attackers could use this data to profile and target individuals with high account balances.
The unprotected server was reported to SBI and India’s National Critical Information Infrastructure Protection Centre and was secured immediately.
You may be interested in reading:Blur Data Breach Potentially Exposed Data of 2.4 Million Users