Search engine exposes breach of security at bank
From THE HINDU
In what appears to be a breach of security, an Internet search for a lawyer’s phone number led a Mumbai-based researcher to a large trove of data (http://knowledge.bankofindia.com:8080) that looks like a directory comprising scores of folders stored on the Bank of India portal. Each folder comprised documents that indexed data, which included user IDs, names, date of birth, email IDs, passwords, details of branch and head offices. One of the many folders accessed by The Hindu listed details of what appeared to be data pertaining to more than 42,000 users.
While there is little doubt that there has indeed been a security lapse, it is unclear whether this data compromises the bank or its customers in any way. When contacted, a Bank of India official claimed that this data “was by no means sensitive or related to costumer databases”, but merely a repository of employee information stored “for internal communication purposes”.
Sameer J. Ratolikar, Chief Information Security Officer, Bank of India, told The Hindu that the data is from “an internal knowledge portal that was shut down in 2006”.
Mr. Ratolikar said: “We had an old system in 2006, which was available from the Internet for overseas branches and this file was part of that old communication.”
When he was asked whether it wasn’t considered a breach when one of the fields contained data as critical as passwords and date of birth up on the Internet, he said: “The passwords are not valid as the system has been dysfunctional for long. We have written to Google to remove contents from cache.”
That this data, even if only employee information, was accessible, violates privacy. Among the email IDs listed in the files accessed by this correspondent were a few that were registered with a Bank of India domain name. But there were also many personal IDs. One of the users even mentioned a date of birth as 1945.
Bank alerted
Oommen C. Kurian, the health researcher, who stumbled upon this data on Wednesday morning, first alerted the bank. After repeated calls, BOI cut off access to the directory by early evening.
A BOI costumer himself, Mr. Kurien said he was intrigued when he found files with over 40,000 user details listed. He claims that he was also able to find files linked to names selected for increments, and internal documents, some of them created in 2011.
No comments:
Post a Comment