India’s largest bank SBI leaked account data on millions of customers

guest · Jan 30, 2019

India’s largest bank SBI leaked account data on millions of customers
January 30, 2019
https://techcrunch.com/2019/01/30/state-bank-india-data-leak/

The server, hosted in a regional Mumbai-based datacenter, stored two months of data from SBI Quick, a text message and call-based system used to request basic information about their bank accounts by customers of of the government-owned State Bank of India (SBI), the largest bank in the country and a highly ranked company in the Fortune 500.

But the bank had not protected the server with a password, allowing anyone who knew where to look to access the data on millions of customers’ information.

The passwordless database allowed us to see all of the text messages going to customers in real-time, including their phone numbers, bank balances, and recent transactions. The database also contained the customer’s partial bank account number.
Click to expand...

mirimir · Jan 31, 2019

Really? No password?

I wonder why they would do that. Maybe it simplified integration with other stuff?

guest · Jan 31, 2019

mirimir said: ↑

Really? No password?

I wonder why they would do that.
Click to expand...

Perhaps the administrator has "forgot" to password-protect the server and the auditor of SBI's servers overlooked it or wasn't qualified enough (as mentioned in the next article)

SBI Investigates Reported Massive Data Leak
January 31, 2019
https://www.bankinfosecurity.com/sbi-investigates-reported-massive-data-leak-a-11986

The government-owned bank, which has 740 million active accounts, neglected to password-protect one of its servers based in a Mumbai data center, enabling easy access to customer data, TechCrunch reports.
Server Management Issues
Too often, banks in India do not conduct proper server management, says Prashant Pandey, a Noida-based security researcher. "Banks in India conduct audits in areas where the RBI has made it compulsory. The other areas are usually ignored," he says.
"Poor configuration by server administrators is to be blamed here," says P. Bala, chief technology officer at Arctos Networks, a software company based in Bengaluru.
Using Qualified Auditors
J. Prasanna, director at the Singapore-based Cyber Security and Privacy Foundation, questions whether the auditors appointed to check on SBI's servers were well-qualified.
"A degree or a certification doesn't make you a good cybersecurity auditor. Often in government, people are given a job based on their age rather than their competitiveness."
Click to expand...

mirimir · Feb 1, 2019

mood said: ↑

Perhaps the administrator has "forgot" to password-protect the server and the auditor of SBI's servers overlooked it or wasn't qualified enough (as mentioned in the next article)
Click to expand...

I've configured lots of servers. I can't imagine creating a login account without a strong password. I suppose that root accounts that are restricted to key-based logins would be OK, but even then I'd assign passwords. In some cases, I use SSH keys without passphrases, when I need to automate stuff. But I'd never share those keys with other management machines.

I mean, you'd need to go out of your way to avoid setting passwords.

Log in or Sign up

India’s largest bank SBI leaked account data on millions of customers

guest Guest

mirimir Registered Member

guest Guest

mirimir Registered Member

Log in or Sign up

India’s largest bank SBI leaked account data on millions of customers

guest Guest

mirimir Registered Member

guest Guest

mirimir Registered Member

Useful Searches