What is the guaranty of the Security of my SBI Account, the countries largest Bank with poor digital security practices ? Absolutely no.

A report from Techcrunch on Wednesday disclosed that the SBI Data Server which is hosted at Mumbai have leaked details of millions of bank accounts information,  which had not protected the server with a password, allowing anyone who knew where to look to access the data on millions of customers’ information.This data center has stored two months of data from SBI Quick, a text message and call-based system used to request basic information about their bank accounts by customers of the government-owned State Bank of India (SBI), the largest bank in the country and a highly ranked company in the Fortune 500. An anonymous security researcher, highlights that "the bank had not protected the server with a password, allowing anyone who knew where to look to access the data on millions of customers' information".

The report states that the data was drawn from “SBI Quick” — one of the bank’s free service which allows customers view their account balance, transaction statements and more by sending SMS’s on pre-defined keywords. For example, if for a balance inquiry one message “BAL” to a specific number, the server in return will show the total account balance of the bank account associated with the number.

It is not clear for how long the server was left unsecured. But when Techcrunch reached out to SBI, the glitch was fixed. However, SBI did not comment on the matter.

The TechCrunch team was able to see text messages going to customers through this unsecured server in real time. The data included their phone numbers, bank balances, and recent transactions.The password less database allowed us to see all of the text messages going to customers in real time, including their phone numbers, bank balances and recent transactions. The database also contained the customer’s partial bank account number. Some would say when a check had been cashed, and many of the bank’s sent messages included a link to download SBI’s YONO app for internet banking.

The bank sent out close to three million text messages on Monday alone.

The database also had daily archives of millions of text messages each, going back to December, allowing anyone with access a detailed view into millions of customers’ finances.

We verified the data by asking India-based security researcher Karan Saini to send a text message to the system. Within seconds, we found his phone number in the database, including the text message he received back.

“The data available could potentially be used to profile and target individuals that are known to have high account balances,” said Saini in a message to TechCrunch. Saini previously found a data leak in India’s Aadhaar, the country’s national identity database, and a two-factor bypass bug in Uber’s ride sharing app. Saini said that knowing a phone number “could be used to aid social engineering attacks - which is one of the most common attack vectors in the country with regard to financial fraud,” he said.

SBI claims more than 500 million customers across the glob,e with 740 million accounts.

Just before few days SBI accused Aadhaar’s authority, UIDAI, of mishandling citizen data that allowed fake Aadhaar identity cards to be created, despite numerous security lapses and misuse of the system. UIDAI denied the report, saying there was “no security breach” of its system.

TechCrunch reached out to SBI and India’s National Critical Information Infrastructure Protection Centre, which receives vulnerability reports for the banking sector.

It is unclear how long the hosting server was unprotected without any password, but any tech-savvy person who knows where to look could access data of millions of bank account holders of the government-owned State Bank of India.

This is probably one of the biggest data leaks of Indian citizens after the Aadhaar data leak - where over 1.2 billion users data was exposed, back in early 2018.