The Target: BharatPay, an India-based financial services firm providing cash deposits, fund transfers, and online purchasing.
The Take: Exposed 37,000 records of Personally Identifiable Information including: usernames, hashed passwords, mobile phone numbers, email addresses, transaction data (such as transaction ID and bank balance), and API keys.
The Vector: The cause of the attack was an outdated software version of PHP allowing the threat actor to inject malicious JavaScript code and have it executed. The firm had only last updated their software years ago in 2020. By exploiting a known issue, the attacker was able to penetrate the firm’s systems.
This breach highlights the ongoing and ever-present need for the regular and quick patching of all software relied upon by the firm for daily operation. When known vulnerabilities are fixed by the software company, and patches released to the public, it is incumbent upon the firm to take responsibility and deploy these patches immediately to avoid a loss of integrity and data which could have easily been prevented.