Researchers have recently found that the ICICI Bank systems misconfiguration caused data leakage, exposing more than 3.6 million customers’ sensitive data.
ICICI Bank, a multinational Indian bank, operates in 15+ countries worldwide and boasts a market value exceeding $76 billion with 5,000+ branches across India.
The Indian government declared ICICI Bank’s resources as “critical information infrastructure” in 2022, signifying that any harm may have severe implications on national security.
Threat actors target financial services and organizations more frequently than other sectors. And in this case, if they managed to gain complete access to the leaked data, it could damage both the bank and its customers.
ICICI Bank’s sensitive data and its clients’ information were exposed when the Cybernews research team found a misconfigured and publicly accessible Digital Ocean bucket with over 3.6 million files on February 1.
Here below, we have mentioned the types of data leaked:-
- Bank account details
- Credit card numbers
- Full names
- Dates of birth
- Home addresses
- Phone numbers
In addition to leaking bank statements and filled-in KYC forms, the bucket exposed clients’ passports, IDs, and Indian PANs (taxpayer identification numbers).
In the storage, CVs of current employees of the bank, as well as job applicants, were found. This is another indication that the leak also affected staff at the bank.
The impact of the leak is expected to be severe due to the massive amount of personal data is leaked, which can potentially damage:-
- Reputation of the bank
- Expose internal processes of the bank
- Compromise the safety and security of clients’ sensitive data
- Compromise the safety and security of employees’ sensitive data
According to the report, Leaked data could enable threat actors to engage in identity theft and fraud, such as creating accounts in individuals’ names without their knowledge using stolen credentials and personal information.
Not only that, even as a result, spear phishing campaigns may target employees, businesses, and individuals whose data has been exposed, putting them at risk.
Also, selling data on the dark web is a potential risk, and ICICI Bank could also become a target of ransomware attacks.
After identifying the issue, the security researchers immediately contacted the following entities in an attempt to report this loophole:-
- ICICI Bank
- Indian Computer Emergency Response Team (CERT-IN)
As soon as they reported the issue to ICICI Bank, they acted immediately, and on March 30, they restricted all public access to their Digital Ocean bucket.
When security experts at Cybernews tried to get an official comment from the communication team of the ICICI Bank, they received the following reply via email from the bank:-
“Thanks for your email. With regards to it, we do not know which incident you are referring to.”
Later when they tried to establish their communication with the bank’s Corporate Communications Team, they rejected the email sent by a Cybernews journalist.
Here below, we have mentioned all the recommendations that the security analysts provide:-
- It is recommended that cloud storage buckets be secured as much as possible to prevent such data leaks.
- ICICI Bank must notify its customers of the data leak so they can minimize the risk and further damage that may occur.
- Bank should directly guide all its users to report any suspicious activity immediately to ICICI Bank to identify and avoid fraudulent emails, websites, and calls.
- Passwords must be changed, and vital login details should be created for those affected.
- Make sure to enable 2-Factor authentication.