Press Statement — 23rd November 2021

Reply to [.c-text-bg-p]Punjab National Bank's[.c-text-bg-p] false and misleading statement regarding our research

Banner for article showing redacted content and PNB logo

[.c-box-wrapper][.c-box]1. PNB claims in their statement, that "we have thoroughly checked our ICT systems those on Internet facing and operating in the background at PNB" and  "there has been no breach of systems and pilferage of any personal data".[.c-box-wrapper][.c-box]

[.c-box-inline]Our reply:[.c-box-inline]

- Have they checked every single computer system and servers in their massive network which even includes computer systems in their large number of bank branches and other offices?

- It is a baseless argument from PNB without putting any actual efforts into checking if there are attackers already in their network or not who could've entered in at any point in these ~7 months when they were vulnerable. They simply left the door to their internal systems open for ~7 months and now they’ve to check their whole network (a very big maze) to find if any attacker is covertly hiding.

- For the scale of PNB’s network (extremely large number of systems which includes like computers in bank branches and other servers), [.c-text-bg-pink]it'll take at least more then a month even for a very large team of skilled security and forensic engineers to re-secure everything and find and clean up any infiltration. Until then PNB can’t be considered secure.[.c-text-bg-pink]

- We should not forget that CERT-In and NCIIPC accepted our reports to them where we mentioned the impact of the vulnerability which we also mentioned in our blog. [.c-text-bg-pink]And also that PNB had to shut down their server after our report which is a big thing since it shows the severity of the vulnerability and it's impact.[.c-text-bg-pink]

[.c-text-bg-red]- Why not publish investigation report into the incident? Why are they running away from demand of a thorough independent security audit of all of their systems? How can they be the judge of their own acts after proving their utter negligence towards security of funds, personal and financial data of their over 180 million customers?[.c-text-bg-red]

[.c-box-wrapper][.c-box]2. They mentioned, "It is an established fact that hackers regularly attempt to penetrate every and all Internet facing systems anywhere in the world."[.c-box-wrapper][.c-box]

[.c-box-inline]Our reply:[.c-box-inline]

PNB is caught into it's own game of trying to downplay the impact of the vulnerability we discovered.

When PNB is aware of the established fact that malicious hackers regularly attempt to penetrate systems anywhere in the world, [.c-text-bg-red]then why they didn't fixe the vulnerability in last ~7months?. This is a very concerning statement from PNB since it hints that maybe PNB was aware of the vulnerability and intentionally didn't fix it for some secret beneficial reasons? As a result left the funds, personal and financial data of over 180 million customers at risk.[.c-text-bg-red]

[.c-box-wrapper][.c-box]3.1 They claim that they've deployed data leak prevention solutions which prevent any unauthorized data to be sent through emails.[.c-box-wrapper][.c-box]

[.c-box-inline]Our reply:[.c-box-inline]

- It's irrelevant statement here, since it's unclear what they mean by "unauthorized data". Any internal employee sending sensitive customer personal or financial data or internal confidential documents isn't "unauthorized data" and hence is indeed shared in emails.

[.c-box-wrapper][.c-box]3.2 They mentioned "The said zone does not permit unauthorized access to any one including internal staff" [.c-box-wrapper][.c-box]

[.c-box-inline]Our reply:[.c-box-inline]

- So how does their bank operate if internal staff can't access customer data and internal confidential data? [.c-text-bg-pink]It's laughably lame statement.[.c-text-bg-pink]

[.c-box-wrapper][.c-box]3.3 They mentioned "The data at rest and transit are encrypted using proprietary algorithms"[.c-box-wrapper][.c-box]

[.c-box-inline]Our reply:[.c-box-inline]

- Irrelevant. Since when accessed through internal systems as administrator or like an authorized employee would do, it will have to show unencrypted.

[.c-box-wrapper][.c-box]4. They claim "The bank is certified with International ISO 27001 best information security practices".[.c-box-wrapper][.c-box]

[.c-box-inline]Our reply:[.c-box-inline]

[.c-text-bg-pink]- They've in fact even violated ISO 27001 due to this vulnerability being unpatched for ~7 months in their systems.[.c-text-bg-pink]

[.c-text-bg-pink]- ISO 27001 requires a certified organization for "timely identification of vulnerabilities" and remediation of the vulnerability. PNB failed to identify a widely exploited vulnerability for ~7 months. How does it still comply with ISO 27001? They are clearly in breach of the same.[.c-text-bg-pink]


Press team,


Our research blog post about PNB finding:

Subscribe to our newsletter to get our latest finding in your inbox!

We won't spam you but only send content you'll like and you can unsubscribe anytime.