Cyber security firm, CyberX9 which alleged that there was a vulnerability in Punjab National Bank’s (PNB) internal server on Tuesday questioned the bank's claims that no such breach or leak of customer data has taken place.

Read also: PNB server vulnerability may have exposed data of over 180 m customers

CyberX9, in a statement, asked, “Have they checked every single computer system and servers in their massive network which even includes computer systems in their large number of bank branches and other offices? It is a baseless argument from PNB without putting any actual efforts into checking if there are attackers already in their network or not who could've entered in at any point in these ~7 months when they were vulnerable. They simply left the door to their internal systems open for ~7 months and now they’ve to check their whole network (a very big maze) to find if any attacker is covertly hiding.”

Read more: No breach of systems and pilferage of any personal data, says PNB

“For the scale of PNB’s network (extremely large number of systems which includes computers in bank branches and other servers), it'll take at least more then a month even for a very large team of skilled security and forensic engineers to re-secure everything and find and clean up any infiltration. Until then PNB can’t be considered secure. We should not forget that CERT-In and NCIIPC accepted our reports to them where we mentioned the impact of the vulnerability which we also mentioned in our blog. And also that PNB had to shut down their server after our report which is a big thing since it shows the severity of the vulnerability and it's impact,” it added.

Following several reports of vulnerability found in Punjab National Bank’s internal server, exposing personal and financial information of customers, the bank on Monday denied any breach of system and possibility of data exposure. The bank has deployed data leak prevention solutions that stop any unauthorised data from being sent through emails, it said.

Following PNB’s claims of deploying data leak prevention solutions that prevent any unauthorised data to be sent through emails,CyberX9 said, “It's an irrelevant statement here since it's unclear what they mean by "unauthorised data. Any internal employee sending sensitive customer personal or financial data or internal confidential documents isn't "unauthorised data" and hence is indeed shared in emails.”

CyberX9 even questioned PNB’s ISO 27001 certification saying it has violated the same by not timely report and remediate the vulnerability.

comment COMMENT NOW