NPCI denies data breach of BHIM mobile app

The National Payments Corporation of India (NPCI) on Tuesday said that there has been no data compromise pertaining to the BHIM App and has requested everyone not to fall prey to such incorrect information.

In a statement, the NPCI said that it has conducted an independent verification of the recent news, including through a leading Digital Risk Monitoring firm who has reconfirmed that the claims against the BHIM App are untrue.

"There is no data leak with respect to the BHIM app," it said.

The statement comes a day after a report said that security researchers have discovered that about 7.26 million records linked to users of mobile payments app BHIM were left exposed to the public by a website.


The exposed data included sensitive information such as names, dates of birth, age, gender, home address, caste status and Aadhaar card details, among others, said the report from VPN review website vpnMentor.

NPCI said CSC e-Governance Services India Ltd was working in 2018 on a project to educate and activate village level entrepreneurs on digital payments and also educating them to create Merchant Virtual Payment Address (VPA). Most of these VPAs were not valid UPI IDs.

Moreover, it said that UPI ID is a virtual ID that is meant to be shared conveniently, instead of real account details. The UPI ID can be used to receive money. The user can simply share his UPI ID with the payer and receive payment directly in his bank account.

This is a standard feature used by merchants, who only need to receive money using UPI, it said.

Based on the findings from the Digital Risk Monitoring firm, it is ascertained that there is not a single instance of data breach compromising financial details of the customers, the NPCI statement said.