New Delhi: The Punjab National Bank (PNB) has denied media reports that over 180 million customers’ data has been breached or exposed, adding that the bank is certified with ISO 27001 standards for information security practices.
PNB responded to media reports published Sunday, based on the findings by Chandigarh-based cybersecurity firm CyberX9, with a statement the next day. “There has been no breach of systems and pilferage of any personal data of any of our customers and account holders of PNB,” the banking giant said.
In a 21 November blog post, CyberX9 claimed: “Punjab National Bank — India’s top public bank — kept severely compromising the security of funds, personal and financial information of over 180 million (all) of its customers for 7 months.”
The cybersecurity firm alleged that a PNB internal server had a vulnerability that would have allowed a malicious hacker to get access to it. If a hacker got in, they could have gained access to the nationwide computer systems of the bank.
A hacker can use such a vulnerability to remotely execute any code on the computers located at bank branches and other internal departments to “steal data, make transactions, get complete control of such connected computer systems”, CyberX9 said.
The firm added that the issue could have been fixed with a security patch that has been available since May this year, but the vulnerability exposing customer data was only fixed months later, after CyberX9 had reported the issue on 18 November to two government entities — the Indian Computer Emergency Response Team (CERT-In) and National Critical Information Infrastructure Protection Centre (NCIIPC).
“PNB doesn’t have any cyber security contact to responsibly report security vulnerabilities mentioned anywhere,” the blog post said.
Responding to this claim, PNB said it “thoroughly checked” all its computer systems and found that no breach has occurred.
Also read: Banking could go the way of news publishing in India — a slow, painful decline
‘There may have been an unauthorised attempt’
However, the bank’s statement did indicate there may have been an unauthorised attempt to gain access to its computers. “The reported attempt of the perpetrator was monitored and checked,” the statement mentioned.
PNB said its critical ICT (Information and Communication Technologies) systems that deal with bank transactions are maintained in a secure zone that does not allow unauthorised access to “to any one, including internal staff” and the computer systems are monitored “round the clock”.
PNB further said that the “bank has deployed data leak prevention solutions which prevent any unauthorised data to be sent through emails…. The data at rest and transit are encrypted using proprietary algorithms”.
It added that it is certified as compliant with ISO 27001 standards for information security management practices as well.
(Edited by Saikat Niyogi)
Also read: India shows the world how to take 1.3 billion people to the bank