Contents:
ICICI Bank, an Indian multinational valued at more than $76 billion, with over 5,000 branches operating across India and 15 other countries worldwide has leaked millions of records with sensitive data, including financial information and personal documents of the bank’s clients.
The Indian government designated the ICICI Bank’s resources as a “critical information infrastructure” in 2022, meaning any damage could have an effect on national security. However, despite the catastrophic state of the nation’s banking infrastructure, the protection of sensitive data was not guaranteed.
During the recent investigation, Cybernews discovered that the bank leaked sensitive data due to the misconfiguration of their systems.
What Data Was Leaked?
The Cybernews research team discovered a misconfigured and publicly accessible cloud storage (Digital Ocean bucket) containing over 3.6 million files belonging to ICICI Bank.
Bank account information, bank statements, credit card numbers, full names, dates of birth, home addresses, phone numbers, emails, personal identification cards, and resumes of workers and applicants were among the information that was exposed.
Leaked Bank Statement (Source)
The bucket also had documents that contained the passports, IDs, and Indian PANs—Indian taxpayer-identification numbers—of clients. Additionally released were bank statements and fully completed know-your-customer (KYC) forms. The leak affected the staff as well, as CVs of current employees and job candidates were observed in the storage.
Cybernews reached out to both the bank and Indian Computer Emergency Response Team (CERT-IN) and the issue was fixed. Access to the Digital Ocean bucket belonging to ICICI Bank was fully restricted on March 30.
Cybernews also tried to obtain an official comment on the situation from the bank’s communication team, but it was rejected, and so far they received no response from the bank.
The impact of the discovered ICICI leak is estimated to be severe, as the volume of personal data leakage is significant… Such sensitive information could undermine ICICI bank’s reputation and may uncover details of the bank’s internal processes as well as jeopardize the safety and security of its clients and employees and their data.
Cybernews Researchers (Source)
Researchers claim that threat actors could exploit exposed data to commit fraud and identity theft. For instance, threat actors could register accounts in people’s names without their knowledge by using the stolen credentials and personal information. Employees, companies, and people whose data was exposed may be vulnerable to spear phishing attacks.
Last year, 18% of all cyberattacks targeted the banking sector. Due to the fact that threat actors frequently target bank account numbers, credit card information, and logins to online banking platforms, the banking industry is particularly susceptible to phishing attacks.
Leaked information could be used by threat actors to build a successful phishing attack that allows them to access bank accounts, make transfers, and commit credit card fraud.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.