India’s Punjab National Bank has denied a security firm’s allegation that it disclosed the personal and financial information of its 180 million customers – but appears to have admitted that their Exchange Server implementation was not in tip-top shape.
The allegation was made by Indian security consultancy CyberX9, who blogged on Sunday that they had discovered an unpatched vulnerability in the bank’s systems that allows it to access an internal server at the administrator level.
According to the CyberX9 article, active exploits already in circulation that target the vulnerability could mean that an attacker “had the potential to remotely execute any code, steal data, conduct transactions and have complete control over such connected computer systems to get”.
Note that “potentially” – because CyberX9’s post does not reveal which system was affected. But in the Indian outlet Money control the company should be able to secure access to an Exchange server. In the same report, the bank admitted to using Exchange, but the allegedly unpatched servers were only used to route emails to Office365 and do not contain any sensitive data.
In a message pinned to the homepage and the Money control The bank’s report also stated that its core banking systems and customer data are isolated from the infrastructure exposed by the vulnerability.
“We have thoroughly checked our ICT systems, which are connected to the Internet and run in the background at PNB,” the statement reads, adding: “There was no system breach and no personal data theft of our customers and account holders at PNB . “
The notice also states that the bank is using data loss prevention tools that “prevent unauthorized data from being sent via email”.
CyberX9 claims the bank has been exposed for seven months – a timeframe that seems plausible in April 2021. Microsoft has disclosed four serious bugs in Exchange Server. These shortcomings were serious enough that the United States National Security Agency urged them to be resolved quickly, as they could allow “permanent access and control over corporate networks.”
If the Punjab National Bank does not apply these patches, it has fallen far short of best practice despite its isolation measures.
CyberX9 has requested a public audit of the bank to put customers at ease.
The registry has contacted CyberX9 and the bank for a comment and will update this story when we receive meaningful responses. ®