New Delhi: Personal details of 7 million Indians on the digital wallet Bhim’s website were exposed in a data leak, claimed an Israeli cyber security firm vpnMentor.

It claimed that there was no security protocol in place to prevent hackers from breaching the server. The data was stored on a misconfigured Amazon Web Services S3 bucket and was publicly accessible.

“The developers of the CSC/BHIM website could have easily avoided exposing user data if they had taken some basic security measures to protect the data,” it said.

It claimed that “a massive amount of incredibly sensitive financial data connected to the BHIM mobile payment app was exposed to the public”.

Parts of data were being stored “on a misconfigured Amazon Web Services S3 bucket and was publicly accessible”, it said.

In their study, cybersecurity researchers Noam Rotem and Ran Locar said exposure of BHIM user data is akin to a hacker gaining access to the entire data infrastructure of a bank, along with millions of its users” account information.

Govt denies BHIM data breach

The National Payments Corporation of India (NPCI) has issued a statement saying there has been no compromise of data on the BHIM app.

“We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations,” a statement from state-run National Payments Corporation of India said.

It added that the body follows a high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem.