Information of over 180 million Punjab National Bank customers remained exposed for around seven months due to a vulnerability in the lender’s servers. The vulnerability was found and reported by cybersecurity firm CyberX9 and reported to the bank through CERT-In and NCIIPC.
Security from confirmed that security of funds, personal and financial information was exposed for 7 months. The vulnerability was leading to admin access to internal servers and was open to cyber-attacks. The vulnerability was found in an exchange server interconnected with other exchanges. It shares all access, including access to all email addresses.
CyberX9 also confirmed that the vulnerability could have been easily fixed in May 2021 with just a security update to a server application. Ransomware attackers actively exploit such vulnerabilities to perform ransomware attacks against big organizations.
It seems the information security team (if there’s any) of ONB is careless and didn’t bother to follow the most basic cyber security practices. PNB also has no way to responsibly report security vulnerabilities. It’s 2021 and most companies not just take information security seriously, they also run bug bounty programs or at least have a way to responsibly report vulnerabilities.
PNB claims that no critical data was exposed due to the vulnerability. The technical team of the bank has shut down the server as a precautionary measure. PNB also denied CyberX9’s claim on the threat to customers’ data due to the vulnerability.
“The server wherein the vulnerability was reported, was being used as one of the multiple Exchange Hybrid servers used to route emails from On-prim to Office 365 Cloud. There is no sensitive/critical data in this server,” PNB said.
