SBI's unprotected data server leaked account details of millions of customers; situation now under control

State Bank of India (SBI), the country’s largest public sector bank, was found to have an unprotected server at its Mumbai data centre that allowed anyone to access financial details of millions of its customers. The database has now been secured. According to a report in TechCrunch, the unprotected server was present in SBI’s Mumbai data centre and had stored two months of data from SBI Quick which is one of the bank’s customer service product. SBI Quick is a missed call banking service which lets customers give a missed call or an SMS with pre-defined keywords to a particular number to get access to features such as balance enquiry, mini statement, ATM card blocking, loan enquiry and so on and so forth. The server holding this database was not protected with a password according to the report. So anyone who could access this server had open access to SBI customer data which runs into millions of individuals. There are no details as to how long the server was password-less, but it was discovered by a security researcher. [caption id=“attachment_4081365” align=“alignnone” width=“1280”] State Bank of India[/caption] With SBI Quick if you are a customer, you can just send an SMS containing ‘BAL’, for instance, to a pre-defined number, and it will tell you your account balance. This makes the service ideal for even non-smartphone users. Since the customer account number is tied in with the phone number, it is easy to verify the customer. They could also see their last five transactions or inquire about home or car loans using the SBI Quick service. The code seen on TechCrunch reveals phone numbers and details such as account balance or transactions — depending on what query the customer sent. The backend text messaging system is what was exposed, letting the researcher see the details that were being sent to customers in real time. Messages going back to December were found to be accessible via this server. According to the report, SBI was informed about this and it has promptly secured the server by putting a password lock on it. SBI has also tweeted in response saying that they are investigating the matter and will update after the investigation is done.

In light of the recent news item, regarding an alleged data incident, please find below our statement: pic.twitter.com/mu4xn12QgL

— State Bank of India (@TheOfficialSBI) January 31, 2019

Should SBI customers be worried?

SBI has around 740 million accounts from its 500 million-odd global customer base. There is no mention if any financial damage has been done to any of the account holders. The report did not mention any leak of account PINs or passwords. But anyone with the right skills to access this unprotected server could have easily got information on high net worth individuals. Additionally, the customer details can be used to build a customer profile and could lead to identity theft. If you are someone who has subscribed to the SBI Quick service, then you need to check with your local branch if your account is indeed secure. If you used the SBI Quick service to inquire about the last five transactions or account balance or any of the services, you are vulnerable to being harassed in many ways or even probable candidates for future financial crimes. If you have not subscribed to the service, chances are that your data is safe. We have reached out to the State Bank of India for a comment on this report and will update the story when we hear back.