In yet another embarrassing gaffe for the Indian BFSI sector, India’s largest bank, SBI rendered millions of customer accounts vulnerable.
How? Well, the bank missed out to secure a key server containing vital customer account information. It is estimated that the server held financial transaction records of over a million SBI customers.
First reported by Techcrunch, an independent security researcher pointed out that the bank failed to protect the server with a password, thereby making it possible for anyone to access the data of millions of customers.
To get an understanding of the significance of this data leak, CSO Online spoke to the President & Founder of Cyber Law Consulting and renowned cyber policy leader, Prashant Mali.
He said that bank account data is classified as ‘sensitive personal data’ as per Section 43A of the IT Act, 2000. “Any customer can file a suit for compensation and damages,” he added.
The Achilles heel – SBI’s text messaging service
The single point of failure in this case was SBI’s backend text messaging service (SBI Quick) that allowed customers to check their balance, view latest transactions, and report or block lost cards.
The failure to protect the database with a password enabled the researcher to view all text messages going back and forth between the bank and the customer. To give you a scale of the vulnerability, around three million messages were sent out on a single day.
And this isn’t the first time SBI’s security management has been brought to the spotlight. In 2016, SBI witnessed 320,000 ATM cards being hacked.
It’s time to crack the whip on negligent cos
The BFSI space in India has been vulnerable to numerous breaches, but they seldom take ownership for data leaks.
So who’s liable for data leaks? Mali stated that BFSI companies and their security auditors who give them certificates of compliance are both equally liable for this type of “gross negligence”.
He opined that RBI and the government should take suo moto action and penalise banks for data leaks. “Today, since the data protection law is yet to come into effect, the issue remains to be a lacunae,” he said. The cyber law veteran believes that an AI-based dashboard, which keeps showing the security level of bank assets is a must and access to this dashboard should be with top management, so they could play a ‘maker and checker’ role.