Cybersecurity firm CyberX9, which alleged there was a vulnerability in the internal server of the Punjab National Bank (PNB), questioned the bank’s claims on Tuesday that no breaches or leaks of customer data. took place.
Also Read: PNB Server Vulnerability May Have Exposed Data From Over 180 Million Customers
CyberX9, in a statement, asked, “Have they checked every computer system and servers in their huge network, which even includes the computer systems of their large number of bank branches and other offices?” This is a baseless argument from PNB without making any real effort to verify if there are already attackers in their network or not who could have entered at any time during those ~ 7 months that they were vulnerable. . They simply left the door to their internal systems open for about 7 months and now they have to check their entire network (a very large maze) to find if an attacker is secretly hiding.
Read more: No systems breach and personal data theft, according to PNB
“For PNB’s network scale (an extremely large number of systems that includes computers in bank branches and other servers), it will take at least more than a month, even for a very large team of engineers. skilled in security and forensics to re-secure everything and find and clean up any infiltration. Until then, PNB cannot be considered secure. Let’s not forget that CERT-In and NCIIPC accepted our reports where we mentioned the impact of the vulnerability which we also mentioned in our blog. And also that PNB had to shut down its server after our report, which is important because it shows the severity of the vulnerability and its impact, ”he added.
Following several vulnerability reports found in the internal server of the Punjab National Bank, exposing customers’ personal and financial information, the bank on Monday denied any breach of the system and possibility of data exposure. The bank has deployed data loss prevention solutions that prevent unauthorized data from being sent via email, he said.
Following PNB’s claims regarding the deployment of data loss prevention solutions that prevent unauthorized data from being sent via email, CyberX9 said, “This is an irrelevant statement here as it is unclear. what they mean by “unauthorized data”. Any internal employee sending sensitive personal or financial data to customers or internal confidential documents is not “unauthorized data” and therefore is effectively shared in emails. ”
CyberX9 even questioned PNB’s ISO 27001 certification, saying it violated the same by not timely reporting and fixing the vulnerability.