State Bank of India (SBI) was in the news because of the vulnerabilities in its communication servers. Unprotected servers of India’s largest bank, which globally hosts more than 500 million customers’ data was at the risk of theft.
India’s largest bank confirmed that there was no casuality like data theft. However, security lapses identified in SBI servers have created galore of opportunities for the regtech startups. Vulnerability assessment and GDPR non compliance could create more opportunities around data theft incidences.
SBI Quick, which is the SMS service offered by the bank was discovered by security researcher to be unprotected, who reported the same to the US Technology company Techcrunch. SBI Quick enables its users to communicate with their bank accounts to obtain last transactions, loan queries.
SBI Quick, the bank’s SMS service, enable SBI’s customers to text the bank, or make a missed call, to retrieve information back by a text message. The text message system was designed to provide a wide range of opportunities for close to 740 million worldwide customers of bank who don’t use a smartphone or have limited data services.
SBI Quick is an interesting service offering. Through the messaging system, customer’s registered phone number is recognized by the bank’s SMS service. The SMS service was then instructed to send the data of balances and recent transactions. At the same time, the system makes it more comfortable to revise the last five transactions, block an ATM card and make inquiries about home or car loans. Exposed SBI servers contain very limited financial information about the account holders.
The data of millions of customers could have potentially opened the floodgates for financial frauds by identifying high value targets based on their current bank balances. The unprotected server also exposed to information like bank balances and phone numbers of SBI Bank customers.
However, it should be kept in mind that the data leak in SBI is not the first in India. There had been another data leak in India’s Aadhaar, the country’s national identity database last year. Looking at the complete story, many security experts expressed the opinion that it was more of media hype. The real impact of not using the passwords may not have resulted in widespread panic in the banking sector, but it is a good practice to protect the customers in real time. Messages going to customers may not have lead to theft of crucial information but in the wake of privacy laws, it was necessary to protect the customer information. The stringent laws like General Data Protection Regulations may have a significant impact on such incidences and the business of State Bank of India in Europe.