CyberX9 questions PNB’s denial of server vulnerability

Cyber security firm CyberX9 has called Punjab National Bank’s (PNB) response to their research on the lender’s data breach as “false and misleading”. The firm also stated that PNB is trying to downplay the impact of the vulnerability discovered by CyberX9.

PNB in its clarification on CyberX9’s research had stated, “We have thoroughly checked our ICT systems those on Internet facing and operating in the background at PNB. There has been no breach of systems and pilferage of any personal data of any of our customers and account holders of PNB,” further adding that it is an established fact that hackers regularly attempt to penetrate every and all Internet-facing systems everywhere.

CyberX9 asked the lender if it has “checked every single computer system and servers in their massive network”, including their bank branches and other offices. It said that PNB has offered “baseless arguments” without actually putting in any effort to delve further into the problem. “They simply left the door to their internal systems open for ~7 months and now they’ve to check their whole network (a very big maze) to find if any attacker is covertly hiding,” it said.

It said that for a network of PNB’s size, it would take at least more than a month with a large team of “skilled security and forensic engineers to re-secure everything and find and clean up any infiltration”.

CyberX9 alleged that the lender is running away from a thorough independent security audit of their systems.

It said that PNB has been caught in its own game of downplaying the attack. If they were aware of hackers trying to attack, then why did they not fix the vulnerability, CyberX9 asked.

CyberX9 further questioned PNB’s statement which had argued that their data leak prevention solutions prevent unauthorised data from being sent through emails. “Any internal employee sending sensitive customer personal or financial data or internal confidential documents isn’t ‘unauthorised data’ and hence is indeed shared in emails,” it said.

PNB had stated that the bank is certified with International ISO 27001 best information security practices, which CyberX9 said has been violated after they left the vulnerability unpatched for seven months.

CyberX9 had revealed that a vulnerability in the bank’s servers had allegedly exposed the personal and financial details of its around 180 million customers for around seven months. The vulnerability gave access to the entire digital banking system of the bank with administrative control, the cyber security consultancy company had said. BusinessToday