The State Bank of India (SBI) failed to secure a key server hosting sensitive information in Mumbai, which resulted in leaked details of millions of bank accounts, on Wednesday.
The report of the leakage was published by Techcrunch, and it has been presumed that information related to bank balance, bank account number and other key bits were leaked.
Techcrunch, an American online publisher of technology industry news highlights in the report that “the bank had not protected the server with a password, allowing anyone who knew where to look to access the data on millions of customers’ information”.
Reportedly, they came to know about the unsecured server after a tip-off by an anonymous security researcher.
It was not clear for how long the server was left unsecured. But when Techcrunch reached out to SBI, the glitch was fixed. However, SBI did not comment on the matter.
The report noted that the unsecured server was part of SBI Quick, which allowed the bank customers to send a message or make a call to carry out basic banking functions.
The bank explains on its website, “SBI Quick – MISSED CALL BANKING is a free service from the Bank wherein you can get your Account Balance, Mini Statement and more just by giving a Missed Call or sending an SMS with pre-defined keywords to pre-defined mobile numbers from your registered mobile number.
Please ensure that your mobile number is updated in your account to be able to register for this service.”
However, because the SBI Quick connects an SBI customer’s phone number with his account, the data leaked from the SBI server could be used by identity thieves or scammers to swindle money from bank’s accounts.
The report noted that after gaining entry to the unsafe SBI server, the Techcrunch team was able to see “text messages going to customers in real-time, including their phone numbers, bank balances, and recent transactions. The bank sent out close to three million text messages on Monday alone.”
The server also allowed access to the archive of messages going back to December that were supposedly sent to SBI users.
A blunder of this magnitude by one of the biggest public sector banks of the country could result in bank customers falling victim to identity theft or bank fraud.