The National Payments Corporation of India has said there has been no data breach in the BHIM app. This was confirmed by an independent verification of recent news reports citing a data breach in the app, it said on Tuesday.

“A leading Digital Risk Monitoring firm has reconfirmed that the claims against the BHIM App are untrue. There is no data leak with respect to the BHIM app,” NPCI said.

The verification comes after news reports had surfaced stating that an Israeli cybersecurity firm had found a data breach in the CSC BHIM app.

Israeli cybersecurity firm, vpnMentor, discovered the data breach where the data of over 7 million Indian users was exposed while being onboarded on the CSC BHIM app, by the common service centres (CSC) of e-Governance Services, The Times of India (TOI) had reported.

The breach was discovered by members of vpnMentor’s research team, Noam Rotem and Ran Locar, the report said. Rotem said they discovered the breach on April 23 and had informed India’s cybersecurity agency, the Computer Emergency Response Team (CERT-In).

The data exposed online included images of users' Aadhaar cards and UPI identifiers of users onboarded by CSC e-Governance associates, it said.

“We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations. NPCI follows a high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem,” it said in a statement.

“CSC e-Governance Services India Ltd was working in 2018 on a project to educate and activate village level entrepreneurs on digital payments and also educating them to create Merchant Virtual Payment Address (VPA). Most of these VPAs were not valid UPI IDs,” NPCI said.

The payments corporation added that the UPI ID, which is a virtual ID/token, was used instead of real account details to make payments and receive money more conveniently.

“This is a standard feature used by merchants, who only need to receive money using UPI,” it further said.

“Based on the findings from the Digital Risk Monitoring firm, it is ascertained that there is not a single instance of a data breach compromising financial details of the customers,” NPCI said.