Govt document reveals cybersecurity lapses at NPCI in 2019: Report

A government audit of India’s flagship payments processor previous yr observed more than forty safety vulnerabilities together with numerous it known as “essential” and “significant” threat, in accordance to an internal government doc noticed by Reuters.

The audit, which took position about four months to February 2019, highlighted a deficiency of encryption of personalized data at the Nationwide Payments Corporation of India (NPCI) which forms the spine of the country’s digital payments process and operates the RuPay card community championed by Key Minister Narendra Modi.

The March 2019 government doc cited the storing of 16-digit card numbers and other personalized details such as buyer names, account numbers, and nationwide identity numbers in “basic textual content” in some databases, leaving the data unprotected if the process was breached. The audit has not formerly been reported.

The NPCI stated in a statement to Reuters it is on a regular basis audited in the pursuits of safety and senior management testimonials all findings, which are then “remediated to (the) fulfillment of the auditors”. This incorporates the findings cited by Reuters, it stated.

ALSO Read through: Malware, ransomware prime cyberthreats in India: Microsoft report

India’s Nationwide Cyber Safety Coordinator, Rajesh Pant, whose office environment coordinated the audit, also stated in a statement to Reuters that “all observations raised in previous year’s report have been confirmed as settled by the NPCI”.

Pant added audits are greatest methods for the mitigation of cyberattacks and are executed on a periodic foundation by all enterprises.

The audit was carried out to provide Modi’s Nationwide Safety Council with an overview of the NPCI’s defenses from cyberattacks. Modi’s office environment and the finance ministry did not react to a Reuters request for comment.

The audit’s findings underscore the data-safety problems faced by the NPCI which processes billions of dollars each day via services that involve inter-financial institution fund transfers, ATM transactions and digital payments.

In India and further than, economical institutions are under enormous force to mount successful defences to defend their buyers as the amount of malicious cyberattacks grow and hackers come to be more subtle.

Set up in 2008, the NPCI is a not-for-revenue enterprise which as of March 2019 counted fifty six financial institutions as its shareholders, together with the Point out Lender of India, Citibank and HSBC.

RuPay, in specific, has been enthusiastically endorsed by Modi who has likened its use to a nationwide obligation. It has developed to account for just about two-thirds of approximately 900 million debit and credit score cards issued in India as of October, in accordance to NPCI and central financial institution data.


The audit followed a Reserve Lender of India (RBI) inspection report on the NPCI in July 2017 that observed lapses in its internal auditing methods, operational dangers and poor whistleblower insurance policies.

There was “deficiency of recognition of dangers and threat culture in the institution,” in accordance to a mainly redacted version of the 37-page report that was attained by Reuters via the Ideal to Data Act (RTI) previous yr.

The 2019 government doc about the audit also mentioned: “There is a powerful need for right governance.”

The RBI executed one more inspection in between November and December 2019. A 33-page report on that audit bundled its evaluation of NPCI’s governance and operational and credit score dangers. But most of the report, also attained by Reuters via the RTI Act, was redacted by the central financial institution which cited the need to defend India’s and the NPCI’s financial pursuits.

The NPCI in its statement did not comment specifically on the RBI experiences, but stated all observations cited by Reuters were being remediated. The RBI did not comment on the experiences.

Difficulties CITED

The March 2019 government doc stated a selection of card numbers were being unencrypted inside the NPCI databases for the country’s community of just about 250,000 ATMs, while unencrypted RuPay card numbers could also be noticed in the organisation’s server logs.

It recommended that sensitive data, buyer data and personalized identity details be “thoroughly encrypted/masked in the databases and logs”.

NPCI stated in its statement to Reuters that it shops card data in line with expectations set by the PCI Safety Benchmarks Council, and has been subject to audits authorised by the council. “No non-conformities have been noticed and we are totally compliant to these expectations,” the statement stated.

Other significant threat concerns in RuPay and other NPCI purposes cited by the government audit bundled so-known as “buffer overflow” vulnerability, a memory basic safety issue that can allow hackers to acquire benefit of coding mistakes.

Working units utilised by the NPCI were being not “up to date” and a single of its mail servers experienced inadequate anti-malware performance, it also stated.

The audit was executed by a team of 10 to 12 people at NPCI’s Mumbai headquarters and workplaces in two other towns, a person familiar with the make a difference stated, declining to be identified.