Critical financial and personal information of 180 million Punjab National Bank (PNB) customers was at risk for around seven months due to a vulnerability in the Bank’s servers, according to cybersecurity firm CyberX9.
The vulnerability provided access to the entire digital banking system of the Bank with administrative control.
CyberX9 also claimed that it left access to confidential internal e-mails and logins of all strata of employees across branches and systems, including the chairman and managing director (CMD), exposed.
PNB, however, denied any exposure to important data. The Bank said that it had tracked the vulnerability and no sensitive data was compromised. It also denied any customer’s data getting exposed.
“The server, wherein the vulnerability was reported, was being used as one of the multiple Exchange Hybrid servers used to route emails from On-prim to Office 365 Cloud. There is no sensitive/critical data in this server,” PNB said.
According to CyberX9, a malicious attacker could easily control and access financial transactions, data on various loans and deals, and accounts of all the customers. The vulnerability was found in an exchange server, to which all other systems and networks are attached. Through this, the hacker can get access to master admin login. It is reported that the vulnerability was found in an exchange server which is interconnected with other exchanges and shares all access—including access to all email addresses which results in access to all email addresses.
Initially, PNB denied the glitch but, later, said: “The server is in a separate VLAN segment and customer data/applications are not affected due to this. Vulnerability assessments and penetration testing is done periodically by external CERT-in empanelled Information Security Auditors and the observations are complied with. Now this server has been shut down as a precautionary measure."
On 19th November, CyberX9 had filed a complaint with CERT-In and NCIIPC, post which the State-owned lender closed down the server.
It appears that the lender only woke up and fixed the vulnerability when CyberX9 discovered the vulnerability and notified PNB through CERT-In and NCIIPC.
In a statement, Himanshu Pathak, MD (managing director) CyberX9 said “The vulnerability which we discovered was leading to the highest level of admin privilege in PNB's exchange servers. If you gain access to Domain Controller through an exchange server then the doors very easily open to make any computer accessible in the network."
“These computers even include those that are being used in their branches and other departments," he further added.
Meanwhile, CyberX9, in its blog post, asked for a thorough security audit of the Bank’s systems.