Money & Banking

PNB server vulnerability may have exposed data of over 180 m customers: CyberX9

Debangana Ghosh Mumbai | Updated on November 21, 2021

But bank denies exposure of important data

A vulnerability was found in Punjab National Bank’s (PNB) internal server, that allegedly could let hackers get access to the highest level of admin privilege, exposing personal and financial data of over 180 million bank customers, according to cybersecurity firm CyberX9.

Himanshu Pathak, Managing Director, CyberX9, told BusinessLine it also leaves access to confidential internal e-mails and logins of all strata of employees across branches and systems, including the CMD, exposed.

He added that though his firm discovered the vulnerability on November 17, the data had been left exposed for nearly seven months.

Bank denies exposure

PNB, however, denied any exposure to important data. The bank told PTI that it had tracked the vulnerability and no sensitive data was compromised. It also denied any customer’s data getting exposed.

“The server, wherein the vulnerability was reported, was being used as one of the multiple Exchange Hybrid servers used to route emails from On-prim to Office 365 Cloud. There is no sensitive/critical data in this server,” PNB said.

According to CyberX9, a malicious attacker could easily control and access financial transactions, data on various loans and deals, and accounts of all the customers.

“The vulnerability was found in an exchange server, to which all other systems and networks are attached. Through this, the hacker can get access to master admin login. Initially PNB denied the glitch. On November 19, we had filed a complaint with CERT-In and NCIIPC, post that they said that they have closed down the server,” Pathak said.

Meanwhile, CyberX9 in its blog post asked for a thorough security audit of the bank’s systems.

Published on November 21, 2021

Follow us on Telegram, Facebook, Twitter, Instagram, YouTube and Linkedin. You can also download our Android App or IOS App.

  1. Comments will be moderated by The Hindu Business Line editorial team.
  2. Comments that are abusive, personal, incendiary or irrelevant cannot be published.
  3. Please write complete sentences. Do not type comments in all capital letters, or in all lower case letters, or using abbreviated text. (example: u cannot substitute for you, d is not 'the', n is not 'and').
  4. We may remove hyperlinks within comments.
  5. Please use a genuine email ID and provide your name, to avoid rejection.

You May Also Like