The vulnerability on CSC BHIM site was first detected on April 23 and it is said that the loophole was fixed on May 22.
409GB worth of data was lying unsecured on cloud storage.
Aadhaar cards, caste certificates, and other highly sensitive personal data of over 70 lakh Indians have reportedly been exposed by a government website. The CSC BHIM website, used to promote UPI payments app BHIM, reportedly suffered a massive data breach. The CSC e-Governance Service India is a program to bring digital access to villages, and the CSC BHIM project was launched to get merchants at the village level to start accepting UPI payments through QR codes. Apparently, a tremendous amount of data of Indian citizens was gathered on the site, and this information has now been breached.
According to Israeli cybersecurity company vpnMentor, 409GB of data of users in India have been exposed, which includes a huge amount of highly sensitive, personally identifiable information. The company said that the exposure of this user data is akin to a hacker gaining "access to the entire data infrastructure of a bank," along with users' account information. The vulnerability was detected first on April 23 and it is said that the loophole was fixed on May 22.
Based on the report so far, there is no evidence yet that the BHIM app itself was leaking data, or that the UPI system is insecure.
The report by vpnMentor claims that the data collected for BHIM deployment was being stored on a misconfigured Amazon Web Services S3 bucket and was "publicly accessible." This has been found to be a fairly common error that many websites make when setting up their cloud systems. As per vpnMentor, 409GB worth of sensitive data of individuals and several merchants were lying unsecured, therefore, exposing them to potential fraud, theft, and attack from hackers and cybercriminals.
Sensitive data of lakhs of Indians was stored in cloud storage without security protocols on the account to ensure safety.
"...the data was stored on an unsecured Amazon Web Services (AWS) S3 bucket. S3 buckets are a popular form of cloud storage across the world but require developers to set up the security protocols on their accounts. The exposed S3 bucket was labelled 'csc-bhim,' and our team was quickly able to identify the developers behind the website 'www.cscbhim.in' as the owners of the data," claim Noam Rotem and Ran Locar, cybersecurity researchers at vpnMentor.
According to vpnMentor, the following were some of the personal documents that were found in the exposed S3 bucket:
Aside from this, the leak also included UPI VPAs (transaction IDs) of people.
The cybersecurity company said that the data breach exposes highly sensitive data including individual's Aadhaar card information, caste certificates, proof of residence, professional certificates and degrees, and scans of Permanent Account Number (PAN) cards.
"Based on our research, the S3 bucket also contained documents and PII [Personally identifiable information] data for minors," company said. The cybersecurity company explains that having such sensitive financial data in the public domain would make it "incredibly easy to trick, defraud, and steal from the people exposed."
"The exposure of private data may also contribute to a broader deterioration of trust between the Indian public, government bodies, and technology companies," the company added.
The report states that the cybersecurity company reached out to the developers of CSC BHIM site to inform about the breach, however, no contact was established. The company then reached out India's Computer Emergency Response Team (CERT-In), which deals with cybersecurity in the country on April 28 and the problem was reportedly rectified on May 22, without further response.
Gadgets 360 has also reached out to the National Payments Corporation of India, and Computer Emergency Response Team for more clarity.
Is Realme TV the best TV under Rs. 15,000 in India? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts or RSS, download the episode, or just hit the play button below.
Catch the latest from the Consumer Electronics Show on Gadgets 360, at our CES 2026 hub.