India’s Punjab National Bank has smacked down a security firm’s allegation that it exposed personal and financial data of its 180 million customers – but appears to have admitted its Exchange Server implementation wasn’t in tip-top shape.
The allegation was made by Indian security consultancy CyberX9, which on Sunday blogged an allegation that it had discovered an unpatched vulnerability in the Bank’s systems that let it gain admin-level access on an internal server.
Active exploits already circulating that target the vulnerability could, according to CyberX9’s post, mean an attacker “potentially had the ability to remotely execute any code on them, steal data, make transactions, get complete control of such connected computer systems”.
Note that “potentially” – because CyberX9’s post doesn’t disclose which system was impacted. But in Indian outlet MoneyControl the firm is quoted as saying it was able to secure access to an Exchange Server. In the same report, the Bank admitted that it uses Exchange, but the allegedly unpatched servers were only used to route mail to Office365 and contain no sensitive data.
In a notice pinned to its home page, and the MoneyControl report, the Bank has also stated that its core banking systems, and customer data, are isolated from the infrastructure exposed by the vulnerability.
“We have thoroughly checked our ICT systems those on Internet facing and operating in the background at PNB,” the notice declares, adding “There has been no breach of systems and pilferage of any personal data of any of our customers and account holders of PNB.”
The notice also explains that the Bank employs data loss prevention tools that “prevent any unauthorized data to be sent through emails”.
CyberX9 alleges that the Bank has been exposed for seven months – a timeframe that seems plausible given in April 2021 Microsoft disclosed four serious flaws in Exchange Server. Those flaws were sufficiently serious that the United States National Security Agency urged swift remediation as they could “allow persistent access and control of enterprise networks”.
Regardless of its isolation arrangements, if Punjab National Bank did not apply those patches it is well short of best practice.
CyberX9 has called for a public audit of the Bank to reassure customers.
The Register has contacted CyberX9 and the Bank for comment, and will update this story if we receive meaningful responses. ®