NEWS
Server glitch but no sensitive customer info exposed: PNB
Punjab National Bank admits of server glitch but denies allegations that personal and financial information of its 180 mn customers were exposed for about seven months.
Punjab National Bank admits of server glitch but denies allegations that personal and financial information of its 180 mn customers were exposed for about seven months.
Punjab National Bank (PNB) has admitted that its servers had a glitch but denied allegations that the personal and financial information of its about 180 million customers were exposed for about seven months.
The country’s second-largest public sector bank assured that the affected server had no sensitive or critical information. According to the bank, 'customer data/applications are not affected due to this' and 'server has been shut down as a precautionary measure'.
The clarification followed an allegation by cyber security firm CyberX9 that a vulnerability in the server of PNB provided access to the entire digital banking system of the bank with administrative control.
“Punjab National Bank kept severely compromising the security of funds, personal and financial information of over 180 million (all) its customers for about the last 7 months. PNB only woke up and fixed the vulnerability when CyberX9 discovered the vulnerability and notified PNB through CERT-In and NCIIPC," news agency PTI quoted CyberX9 founder and MD Himanshu Pathak as saying.
CyberX9 research team discovered a very critical security issue in PNB which was leading to admin access to internal servers hence exposing a massive number of banks' systems nationwide open for cyber-attacks for the last about seven months, Pathak said.
Vulnerability was found in an exchange server interconnected with other exchanges and shares all access, including access to all email addresses which results in access to all email addresses, he added.
“The vulnerability which we discovered was leading to the highest level of admin privilege in PNB's exchange servers. If you gain access to Domain Controller through an exchange server then the doors very easily open to make any computer accessible in the network. These computers even include those that are being used in their branches and other departments," PTI quoted Pathak as saying.
Meanwhile, PNB denied CyberX9's claim on the threat to customer's data due to the vulnerability.
"The server wherein the vulnerability was reported, was being used as one of the multiple Exchange Hybrid servers used to route emails from On-prim to Office 365 Cloud. There is no sensitive/critical data in this server," PNB said.
"The server is in a separate VLAN segment and customer data/applications are not affected due to this. Vulnerability assessments and penetration testing is done periodically by external Cert-in empanelled Information Security Auditors and the observations are complied with. Now this server has been shut down as a precautionary measure,” PNB added.
According to CyberX9, the vulnerability was mitigated on November 19, and it reported the incident to Indian cyber security watchdog Cert-In and National Critical Information Infrastructure Protection Centre (NCIIPC).