In a news that may concern lakhs of State Bank of India (SBI) customers, the largest bank in the country has failed to keep the secrecy of its customers’ data. According to a TechCrunch report, the alleged unprotected server of the State Bank of India was housed in a Mumbai data centre and included two months of data from SBI Quick, a missed call banking service from the company. SBI Quick is claimed to offer an easy and non-connected way to its consumers to get basic information about their account with the bank. The consumers can ask for their balance, mini statement, request a cheque book, and more.
The SBI server was apparently not protected by a password, thus giving anyone, who knew where to look for, access to the banking data of millions of customers, including their mobile numbers, partial account numbers, account balance, recent transactions and more. TechCrunch says the leak was discovered by a security researcher, who wants to remain anonymous.
The SBI Quick service was especially useful for those, who own a feature phone and cannot access internet banking. Along with the information mentioned above, the Mumbai based server was also used to store daily archives of the bank.
How will it affect the users?
The data breach contains phone numbers and partial account details of the SBI account holders. Hackers can use those phone numbers to ask ramson, especially for those accounts with a high-account balance. The same phone number can also be used for social engineering attacks.
The leak has not revealed any sort of account authentication password, which is a relief. As of now, there is no information on the exact amount of data that has been leaked from the Mumbai based SBI server.
State Bank of India or SBI is yet to comment on the breach. It is pretty wild to think that a government-owned entity forgot to secure the server with potential data, which can be used to social engineering attacks.
Secure Yourself from being a Victim of Social Engineering
The simple thing one can do to secure from being victim is to secure from social engineering attacks. If you get a call stating it’s a bank manager and they like to upgrade your card for free of cost or the card has been expired and they would like to validate it and if they ask for your card number/PIN/expiry, etc NEVER SHARE the Card Number/PIN/Expiry/Password. Below is a list of scenarios which one can follow to secure from being victim of Social Engineering attacks:
When Talking In Person Or Over A Call
- Share information on need to know basis
- If asked to disclose confidential information, find out why such information is required
- Assume that the enquirer has a right to know the required information
- Discuss anything in public places
When Contacted Over an Email Or Online Chat
- Delete Spam mails to prevent the download of malware in your computer
- Be cautious of emails / chats from unknown sources
- Share sensitive information like your PIN / Password
- Open mails from anonymous senders with unknown topics
For Physical Documents
- Shred documents, especially confidential, if you’re discarding them
- Find out where your printouts are, if they’re missing
- Leave sensitive information unattended
- Print sensitive information, or keep printing if unable to trace previous print-outs