Cybersecurity firm CyberX9 has discovered a potential data leak in internal servers of Punjab National Bank (PNB). The critical vulnerability could lead to “highest level privileges of administrator” in PNB’s internal server exposing a massive number of systems.
The firm further claims that the vulnerability was open for the past 7 months, exposing the data of its entire customer base of 180 million customers. The bank patched the vulnerability after CyberX9 reported it to CERT-In and NCIIPC.
Why does this matter?
According to the report, had any hacker exploited the vulnerability, he could have accessed a large number of computer connected to the server including computers being used in branches and other departments.
Any malicious actor could use this access to steal data & make transactions by gaining full control of such connected computers. Further, the vulnerability is well known and hackers around the world are actively exploiting it.
Besides hacking into the computers and stealing funds, any adversary could also encrypt all data using a ransomware. Such an attack would completely halt the banks operations- the 2nd largest one in India.
However, it is not known if hackers exploited the vulnerability. Therefore, CyberX9 is asking for a detailed security audit of PNB. The RBI had ordered one such audit after Mobikwik denied data breach allegations.
The Bank’s response
The firm says that PNB just had to patch the vulnerability through updates which it failed to do. Further, although the bank mentions that security is its topmost priority, it does not mention a way to contact their security team.
Hence, CyberX9 reported the issued to CERT-In and NCIIPC. Following the report, both agencies acknowledged it and the vulnerability was patched the very next day.
However, the bank has denied the breach of its systems. In a statement, it said it had thoroughly checked its systems. It said that “there has been no breach of systems and pilferage of any personal data of any of our customers and account holders of PNB”.
It further said that it monitored and checked the reported attempt. “All our critical ICT systems dealing with banking transactions are kept in secure zone, called DM zone with multiple layers of protection”, it added.