In a news that may concern lakhs of State Bank of India (SBI) customers, the largest bank in the country has failed to keep the secrecy of its customers’ data. According to a TechCrunch report, the SBI server, which exposed the users details, hosted two months data of SBI Quick, text messages and call-based system that a customer uses to get information like account balance. The bank has not protected the server with a password, therefore, allowing the access to the confidential data of millions of customers.
The report said that it was not known for how long the server was open. The database had given access to real-time text messages, account balance, recent transactions, partial bank account number and also exposed the customers’ phone numbers. The report also claimed that the SBI has now protected the server. A security researcher said that the leaked data could be used to target customers with high bank balance.
Ankush Johar, Director at Infosec Ventures, told Zee Business Online that there is a need for adoption of a ‘Responsible Vulnerability Disclosure’ policy.
“This massive story showcases the need for adoption of a ‘Responsible Vulnerability Disclosure’ policy that doesn’t penalise the security researcher community. There is an ISO/IEC 29147 policy now available and companies serious about their security need to adopt this, to safeguard their cyber posture. It is a shame that security researchers are threatened with legal action even when they approach organisations via the responsible disclosure route,” said Johar.
Earlier this week, the SBI has accused UIDAI of mishandling citizen’s Aadhaar data that allowed the creation of fake Aadhaar cards. However, the UIDAI has rubbished the charges claiming that citizen data is safe.