ICICI Bank denies data breach that reportedly exposed credit card, PAN and passport details

The leak occurred due to a misconfiguration in the bank’s systems, according to a report by Cybernews. The leaked data was stored in Digital Ocean which is a New York-based cloud service provider, the report added.

Leaked information

The information that was reportedly publicly accessible included “bank account details, credit card numbers, full names, dates of birth, home addresses, phone numbers, and emails.” The report added that even information such as the client’s passport details, IDs, and PAN details were also leaked in the breach.

Information about the ICICI Bank staff was also leaked and it included the CVs of current employees and job candidates as well. If such sensitive data falls on the wrong hands then the damages would be irreparable.

The data leak was first discovered by the Cybernews research team on February 1st after which they reported it to ICICI Bank and the Indian Computer Emergency Response Team (CERT-IN). The issue was then fixed and access to the leaked information was fully restricted on March 30th, the report added.

ICICI Bank, on the other hand, denied the data breach saying that there was no such incident, according to a report by ET. Initial reports on the data breach have also been taken down, and with ICICI Bank denying the incident, we cannot confirm if there was any data leaked. The bank issued a four-point statement on the incident, which is as follows:

1. The Bank does not own or manage the said URLs. Therefore, there is no question of a misconfiguration at the Bank’s end, as is mentioned in the article. 
2. The four documents found in the URLs seemed to be uploaded by individuals as storage. They do not compromise security of any account. 
3. Since the documents carried the Bank’s name, we took steps to bring the URLs down.
4. There is no evidence of availability of 3.6 million files with customer data, as mentioned in the article.

However, independent researchers argue that the leaked information appears to be legitimate, and is not limited to ICICI alone. “The compromised bucket contains information belonging to several other companies. I’m not sure why the researchers singled out ICICI,” said Rahul Sasi, co-founder and CEO at CloudSEK, a cybersecurity firm told ET.