What happened in the BSNL data breach?
According to reports, BSNL (Bharat Sanchar Nigam Limited) suffered two major data breaches in the last 6 months that exposed around 278GB of sensitive information on the internet. In the first breach around 191GB of data was exposed in December 2023, while the second breach saw around 87GB of data being left unprotected in June 2024.
The exposed datasets contained several terabytes worth of call data records (CDRs), SMS logs and details of thousands of BSNL’s mobile and broadband customers across India. It included personally identifiable information like names, phone numbers, addresses, email ids, billing and payment history, recharge details and more.
Some of the files contained raw dumps from various core backend systems of BSNL including billing, CRM and other operational data. The data was not encrypted or password protected and was found hosted on an unprotected Amazon Web Services (AWS) storage bucket.
Expert comments on the massive data breach
Security researchers and experts described the BSNL data breach as “massive” and “concerning”. They said exposing such a large amount of customer data not once but twice in a short span of 6 months raises serious questions about BSNL’s data security practices and protocols.
Raj Samani, McAfee Enterprise’s chief scientist said “The BSNL data breaches yet again highlight the need for all organizations to implement least privilege access models, enforce strong authentication, monitor access controls and conduct regular audits. Customers personal data needs to be handled with utmost care and responsibility.”
Researchers also mentioned that sensitive business and technical insights gleaned from the exposed data could potentially be misused. Bad actors could use the leaked information for everything from spam and phishing campaigns to identity theft.
What actions has BSNL taken?
BSNL acknowledged the data breach incidents and said it has started taking corrective actions. A spokesperson said they were investigating the lapses with help from external cybersecurity experts. The exposed Amazon storage buckets were also secured.
The state-run telco informed it will conduct an internal audit of all third party managed infrastructure and servers. Two-factor authentication is being implemented for accessing sensitive systems. Staff will have to undergo data security awareness training.
BSNL assured its customers that it takes customer privacy very seriously. No financial loss has been reported so far due to the breaches. It urged users to remain vigilant against any suspicious communications or activities citing the leaked data.