The data remained exposed for about seven months, according to CyberX9, which claimed that the vulnerability provided access to the entire digital banking system of PNB. That too with administrative control.
PNB has confirmed the glitch in its servers. However, the bank has refused the report of any exposure of critical data due to the vulnerability. PNB said “customer data/applications are not affected due to this” and “server has been shut down as a precautionary measure.”
“Punjab National Bank kept severely compromising the security of funds, personal and financial information of over 180 million (all) its customers for about the last 7 months. PNB only woke up and fixed the vulnerability when CyberX9 discovered the vulnerability and notified PNB through CERT-In and NCIIPC,” CyberX9 founder and MD Himanshu Pathak told PTI.
Pathak added that the team discovered a very critical security issue in PNB which was leading to admin access to internal servers hence exposing a massive number of banks’ systems nationwide open for cyber-attacks for the last about seven months.
He said that vulnerability was found in an exchange server which is interconnected with other exchanges and shares all access — including access to all email addresses which results in access to all email addresses.
“The vulnerability which we discovered was leading to the highest level of admin privilege in PNB’s exchange servers. If you gain access to Domain Controller through an exchange server then the doors very easily open to make any computer accessible in the network.
“These computers even include those that are being used in their branches and other departments,” Pathak said.
“The server wherein the vulnerability was reported, was being used as one of the multiple Exchange Hybrid servers used to route emails from On-prim to Office 365 Cloud. There is no sensitive/critical data in this server,” PNB said. Also Read: SBI Alert! Jan Dhan account holders yet to receive Rs 164 crore refund for undue fee: Report
“Now this server has been shut down as a precautionary measure,” PNB said. CyberX9 pointed out that the vulnerability was mitigated on November 19. The cybersecurity firm has also reported the incident to the Indian cyber security watchdog Cert-In and National Critical Information Infrastructure Protection Centre (NCIIPC). Also Read: Income Tax Dept raids Gujarat-based real estate group, unearths Rs 100 crore unaccounted income