How safe is your bank account information stored with the State Bank of India, the country’s largest bank? Not much, apparently. A report on Wednesday revealed that the SBI forgot to secure a key server hosting sensitive information in one of its Mumbai installations and that the server might have leaked details of millions of bank accounts. It has been presumed that information related to bank balance, bank account number and other key bits were leaked.
The report in Techcrunch, which came to know about the unsecured server after a tip-off by an anonymous security researcher, highlights that “the bank had not protected the server with a password, allowing anyone who knew where to look to access the data on millions of customers’ information”.
It is not clear for how long the server was left unsecured. But when Techcrunch reached out to SBI, the glitch was fixed. However, SBI did not comment on the matter.
The report noted that the unsecured server was part of SBI Quick, which allowed the bank customers to send a message or make a call to carry out basic banking functions. The bank explains on its website, “SBI Quick – MISSED CALL BANKING is a free service from the Bank wherein you can get your Account Balance, Mini Statement and more just by giving a Missed Call or sending an SMS with pre-defined keywords to pre-defined mobile numbers from your registered mobile number. Please ensure that your mobile number is updated in your account to be able to register for this service.”
However, because the SBI Quick connects an SBI customer’s phone number with his account, the data leaked from the SBI server could be used by identity thieves or scammers to swindle money from bank’s accounts.
The report noted that after gaining entry to the unsafe SBI server, the Techcrunch team was able to see “text messages going to customers in real-time, including their phone numbers, bank balances, and recent transactions The bank sent out close to three million text messages on Monday alone.”
The server also allowed access to the archive of messages going back to December that were supposedly sent to SBI users.
An Indian company, and an Indian bank, in news because of poor digital security practices is not new. In 2016, millions of debit cards issued by a number of Indian banks, including by SBI, were compromised. Of late, we have also seen a growing number of bank fraud cases where using identity theft and Aadhaar data scammers have compromised bank accounts and stolen money from those accounts.