If we want to enter a branch of SBI, we may have to encounter a guard, half closed gate. In secure rooms, there may be even an access controlled doors. But it is a surprise to know that the server which houses the “Customer data” which is as valuable as the entire deposit of the customers, was not secured even by a password let alone a robust encryption.
This is the revelation made by a security researcher (Refer article in india today) based on which it appears that millions of customer’s account data has been kept open for anyone to view and perhaps download. It is not known as to how long the server was left in that condition.
The security researcher was reportedly able to track transaction details in real time. In fact, the media report states the researcher was able to witness 3 million messages on Monday alone.
It is said that the leak has now been plugged.
This is indicative of the information security that the biggest of the Banks follows. Probably other Banks are worse off. We have pointed out in the past that some how SBI appeared to lead the Banks on which fraudulent phone calls for phishing was the highest. (Refer here).
We have also pointed out earlier that Axis Bank and Punjab National Bank besides ICICI Bank are notorious for phishing frauds. When we confront these Banks in judicial fora, they always come up with a ISO 27001 certificate stating that their system security is the best in the world. But the reality is that even the bigger Banks which donot have the dearth for funds to hire the best talents in the country are woefully short of security at the implementation level.
One estimate is that around 740 million sets of data might have been compromised in this incident. Had there been PDPA 2018 in place and it is imposed as strictly as GDPR on FaceBook etc., SBI would have to run a liability of Rs 100+ crores. SBI is fortunate that the data breach has occurred now before the PDPA 2018 has become a law.
SBI-Adhaar Enrolment fraud
Just two days back, there was another report in which SBI had allowed its systems to be misused in the Aadhaar enrollment scheme and tried to blame UIDAI for lack of security. (See report here).
In this case, SBI had used an outsource partner for Aadhaar enrolment unlike many other Banks which have trained their own officers for the purpose. The employee of the outsource partner (Mr Vikram) had with the help of his operator ID, used to generate Aadhaar cards using fake documents between November 9 and November 17, 2018. He had managed to generate bogus Aadhaar cards using “multiple station IDs” in his name.
According to one report in Moneycontrol.com, SBI had outsourced its Aadhaar enrolment work to two vendors FIA Technology Services Pvt Ltd and Sanjivini Consultants Pvt Ltd – in the Chandigarh region to reach its Aadhaar enrolment target. Probably Vikram was an employee of one of these sub contractors. (It appears that these firms were empannelled by UIDAI). He was fined Rs 33 lakhs by UIDAI.
The Bank has come out with a strong defense in support of Mr Vikram (See report here) . An internal investigation by the SBI and its vendor gave a clean chit to Vikram against the UIDAI charges. The bank has also requested the UIDAI to remove the penalty and allow him to return to work, it added. The bank has also urged the UIDAI to offer an explanation on the incident and the creation of multiple station ids.
Legally, Mr Vikram being an agent of SBI and using the ID on behalf of the Bank, the Bank is fully liable for the incident. We can always debate if UIDAI could have some enhanced security to identify if one operator was using multiple station IDs. But the primary responsibility has to be boarne by SBI.
The strong counter posed by the Bank indicate that the Bank wants to protect Mr Vikram and this gives room for suspicion if any other person in the Bank was also involved in a larger fraud.
This incident is an eye opener to judicial authorities who some times get enamored by a Bank making a statement that “Our Security is the Best and if any fraud has happened it is only because of the customer’s negligence.
The above two incidents indicate a serious lapse in the information security status in SBI and there is a need for some heads to roll.