The purported data leak, according to the research-based online publication, resulted from a misconfiguration of the bank systems that exposed the 35 lakh records.
In its 4-point statement, ICICI Bank categorically denies the data breach incident. Researchers tell ETCISO that although the leaked KYC data appears legitimate, it cannot be attributed to a lapse by the banking major.
The discovery
The leaked data comprised bank statements, credit card numbers, KYC information — names, dates of birth, addresses, phone numbers, email IDs — and personal identification documents such as PAN card information and scanned passport copies.
In addition to customer data, researchers found that resumes of current and prospective employees were found in the leaked data dump.
Screenshot of leaked passport copy (Image source: CyberNews)
Upon discovery of the misconfigured cloud that resulted in the breach incident on 1 February, the team contacted ICICI Bank and CERT-In, following which issue was resolved, according to the CyberNews report. Researchers say that as on 30 March, access to the DigitalOcean bucket belonging to ICICI Bank was fully restricted.ICICI Bank’s response
Following CyberNews’ initial report, several news outlets published news of the purported breach, however, many, including Times Now, Business Today and Livemint took down their stories.
According to the Times Now version, still accessible via MSN, ICICI Bank advised its customers to ignore reports of the breach and assured them that their data was secure. India’s third biggest bank, in terms of market capitalization, also warned that it will take “legal action against any entity spreading false news about data breaches or trying to damage its reputation.”
According to information shared by Rahul Neel Mani, vice president of community engagement & editorial at ISMG, on LinkedIn, ICICI Bank issued a 4-point statement in which it dismisses CyberNews’ findings:
- The Bank does not own or manage the said URLs. Therefore, there is no question of a misconfiguration at the Bank’s end, as is mentioned in the article.
- The four documents found in the URLs seemed to be uploaded by individuals as storage. They do not compromise security of any account.
- Since the documents carried the Bank’s name, we took steps to bring the URLs down.
- There is no evidence of availability of 3.6 million files with customer data, as mentioned in the article.
What independent researchers say
Rahul Sasi, co-founder and CEO at CloudSEK tells ETCISO that the CyberNews’ report is based on a leaked data dump from DigitalOcean. He says that the leaked dump contains data from several other companies and not just ICICI Bank.
“The compromised bucket contains information belonging to several other companies. I’m not sure why the researchers singled out ICICI,” he says.
Commenting on the legitimacy of the dataset in question, Sasi says the data appears to be legitimate KYC information, but he’s certain the leaked data cannot be attributed to ICICI Bank.
Rahul Sasi, Founder & CEO, CloudSEK
Instances of massive tranches of data comprising KYC information of millions of people being leaked have become a common occurrence. Although it’s now clear that the data leak wasn’t due to ICICI’s lapse, the fact remains that the data is legitimate.
Furthermore, Sasi refutes CyberNews’ claim that the compromised dataset contained financial information of customers, such as credit card data and bank account details. While CyberNews posted a snapshot of the KYC data of a particular customer and a scanned passport copy of a bank employee, no evidence pointing to leaked credit card or bank account data was provided in its report.
ETCISO reached out to CyberNews to ascertain the anomalies in its report but we haven’t yet received a response.
Sanjay Kaushik, managing director at Netrika Consulting Pvt. Ltd, a risk consulting and cybersecurity company, also tells ETCISO that his sources in cybercrime law enforcement confirm that there was indeed a data leak and that the compromised data is legitimate.
“Generally, companies tend to deny reported data breach incidents for the first few days, unless the information is out there, in total. You can have 100% surety only when you have the details in hand,” he says. He wasn’t, however, able to confirm if the leaked data came from the said DigitalOcean cloud bucket.
Sanjay Kaushik, MD, Netrika Consulting Pvt. Ltd.
DigitalOcean suffered a serious security incident in Aug’ 2022
In its blog dated 15 August 2022, DigitalOcean admitted that a week earlier, the company discovered that its Mailchimp account had been compromised as part of a suspected “wider” Mailchimp security incident. As a result of DigitalOcean’s Mailchimp account being suspended, its customers weren’t able to receive email confirmations, password resets, and email-based alerts.
A second incident, however, triggered the alarm: a customer contacted the company claiming their password had been reset without initiation. That’s when DigitalOcean launched an investigation.
Due to the breach, the cloud services major surmised that certain DigitalOcean customer email addresses may have been exposed. The company also found reports of threat actors attempting to access the compromised data: “A very small number of DigitalOcean customers experienced attempted compromise of their accounts through password resets.”
Although DigitalOcean maintains no other information barring email addresses were compromised, it recommended its clients to maintain increased vigilance against phishing attempts made by hackers.
Government of India red-flagged ICICI Bank’s information security in June 2022
According to a post published by veteran cyber law specialist, Vijayashankar Na, founder of Naavi, a non-profit organization committed to building cyber jurisprudence in India, MeitY issued a notification on 16 June 2022 declaring ICICI’s core banking system (CBS), real time gross settlement system (RTGS), national electronic fund transfer system (NEFT), and the structured financial messaging server were to be considered as protected systems.
MeitY notification on ICICI Bank (Source: naavi.org)
Per MeitY’s directive, a CERT-In representative would have to be included in the information security governance committee of ICICI Bank to supervise all information security policies and implementations — a “huge embarrassment”, in Vijayashankar’s words.
There are reports that similar directives were passed for HDFC Bank and NPCI, but the gazette notification is only available for ICICI Bank.
The reason for appointing a cybersecurity watchdog for ICICI, Vijayashankar explains, is because the government apprehends that the the incapacitation or destruction of the system , shall have “debilitating impact on national security, economy, public health or safety.”