New Delhi: The vulnerability in the Punjab National Bank server allegedly exposed personal and financial information about around 180 million customers for about seven months, according to Cyber ​​Cyberx9 security company.
Cyberx9 has claimed that the vulnerability provides access to all PNB digital banking systems with administrative control.
Meanwhile, the bank has confirmed about that mistake but denied any important data exposure due to vulnerability.
PNB said “Customer data / applications are not affected because this server” and “has been turned off as a precaution.” “Punjab National Bank continues to endanger fund security, personal and financial information of more than 180 million (all) of its customers for about 7 months.
PNB only wakes up and improves vulnerabilities when Cyberx9 finds vulnerabilities and PNBs to be informed -in and NCIIPC,” said the founder of Cyberx9 and MD Himanshu Pathak told PTI.
He said the Cyberx9 research team found a very critical security problem in PNB which led to admin access to an internal server, then presented a large number of bank systems nationally open for cyber attacks over the past seven months.
Pathak said that vulnerabilities found on Exchange servers that are interconnected with other exchanges and share all access – including access to all email addresses that generate access to all email addresses.
“The vulnerability we find leads to the highest level admin privileges on the PNB exchange server.
If you get access to domain controllers through the Exchange server then the door is very easy to open to make a computer that can be accessed on the network.” This computer is even included in their branches and other departments, “said Pathak.
When contacted, PNB said the server where vulnerability was found not to have sensitive or critical data.” Servers where vulnerabilities are reported, are being used as one of the few Hybrid Exchange servers that are used to route e-mail from Cloud Office 365.
There is no sensitive / important data on this server, “PNB said.
PNB denied Cyberx9 claims about the impact of vulnerability in customer data Of course.
” The server is in a separate VLAN segment and customer data is not affected because of this.
Vulnerability assessment and penetration testing is carried out periodically by an external certificate information security auditor and observations are obeyed.
Now this server has been covered as a precaution, “said PNB.
According to Cyberx9, the vulnerability was reduced on November 19, and reported the incident to Indian Cyber ​​Security Watchdog Cert-in and the National Critical Information Infrastructure Infrastructure Protection Center (NCIIPC).