The data of about seven million Indian users is available on a public domain after it had been breached, according to Israeli cybersecurity firm vpnMentor.

The firm discovered a data breach where the data of millions of users was exposed while they were being on-boarded on the BHIM app by the common service centres (CSC) of e-Governance Services, The Times of India (TOI) reported.

The breach was discovered by members of vpnMentor’s research team, Noam Rotem and Ran Locar, the report said. Rotem said that they had discovered the breach on April 23 and had informed India’s cybersecurity agency, the Computer Emergency Response Team (CERT-In).

The data that has been exposed online included images of the users' Aadhaar cards and UPI identifiers onboarded by CSC e-Governance associates. The data was available until last week, the report said.

The CSC e-Governance Service had said that data points such as a merchant’s virtual payment address (VPA) were kept public for wider transparency of the system. However, the project did not call for Aadhar data of the merchants. Hence there was no possibility of personal identifiers such as Aadhar details being made public, it said. CSC also added that the data was hosted on Indian servers located within the country.

Along with VPA other information that was made public included static pages of the portal, PDF files, e-text, pictures, and awareness videos.

Cybersecurity issues have been a major concern these days owing to an increasing number of cyber threats and data breaches. Last week, cybersecurity firm Cyble said a hacker had put up personal details of nearly 2.9 crore Indian job seekers on a hacking forum on the Dark Web for free. In another report, a database of over 4 crore Indian users of caller ID app Truecaller that seemed to be from 2019 had been put up on sale as well on the dark web.

Related Stories
NPCI denies data breach at BHIM App

“Our researchers have identified a reputable seller, who is selling 47.5 Million Indians Truecaller records for $1000. The data is from 2019,” the Cyble report read.

Truecaller had later issued a statement denying a data breach and had stated that their systems were secure.

comment COMMENT NOW