ICICI Bank, one of India’s largest private sector banks, leaked sensitive data due to a misconfiguration of its systems, according to Cybernews researchers. The leak, which was discovered on February 1, affected the bank and its clients, with exposed data including bank account details, credit card numbers, full names, dates of birth, home addresses, phone numbers, and emails, as well as passports, IDs, and Indian taxpayer identification numbers.
Furthermore, the leak also affected the bank’s staff, as CVs of current employees and job candidates were observed in the storage. The attack was fixed on March 30, but ICICI Bank has yet to issue an official response to the incident.
It is estimated to have a severe impact as the volume of personal data leakage is significant and could undermine ICICI Bank’s reputation.
Additionally, according to the researchers, threat actors could use the leaked data to commit identity theft and fraud, while employees, businesses, and individuals whose data were exposed could be at risk of spear phishing campaigns.
The banking sector is especially vulnerable to phishing attacks as malicious actors often go after logins to online banking platforms, credit card credentials, and bank account numbers.
Malicious actors could use the leaked data to construct a successful phishing attack to gain access to bank accounts, make transfers, and perpetrate credit-card fraud.
To prevent such data leaks, researchers advise always securing cloud storage buckets.
ICICI Bank should mitigate the risk and further damage by notifying its customers of the data leak, providing guidance for customers on identifying and avoiding fraudulent emails, websites, and calls, and urging them to immediately report any suspicious activities to the bank.
Those affected should change their login details and create strong passwords as attackers could easily guess weak ones due to the vast amount of personally identifiable information exposed.
