User information was leaked through an unprotected MongoDB server
The personal data of nearly 700k American Express customers in India have been accidentally exposed online via a MongoDB server without the necessary protection measures, as reported by specialists in digital forensics and information security from the International Institute of Cyber Security.
The server that leaked the personal information of the clients of the financial institution, which remained exposed online without password, was discovered three weeks ago by Bob Diachenko, an information security and digital forensics expert of the cybersecurity firm Hacken.
Most of the data on the server seemed to have been encrypted and required a key to decrypt and access them, but the investigator says that over 680k records were stored in simple text accessible to anyone who has found the database online.
Simple text logs, says the expert in digital forensics, contained the personal data of American Express customers in India, such as phone numbers, full names, email addresses and a small description of the type of card handled by the user. The data are not too confidential, but malicious actors could use them to drive spam campaigns or targeted advertising.
On the other hand, encrypted information, a total of 2,332,115 entries, contained more sensitive information. Based on the MongoDB table header, the investigator deduced that these records included customer names, addresses, Aadhar numbers (personal identification key of India population), permanent account numbers (used by taxpayers in India) and phone numbers.
Other tables within the exposed MongoDB database also contained links and access details for accounts in the americanexpressindia.co.in domain.
“After a thorough analysis, I have come to the conclusion that the database was managed by one of the subcontractors responsible for SEO or generation of American Express leads,” Diachenko said. “Many entries contained fields such as ‘CampaignID’, ‘prequalstatus’, ‘LeadID’ etc.”
Diachenko has reported that American Express India eliminated the unsecured server on the same day that the security alert was published, although the investigator admits that he does not know how long the server in question was exposed online.
However, American Express India stated that a subsequent investigation did not discover any “evidence of unauthorized access”, suggesting that Diachenko might have been the only one who accessed to the server during the period in which it remained exposed.
Diachenko has mentioned that it could not track the SEO service company that managed the vulnerable server; American Express did not disclose this information either.
The spokespersons of the financial institution have also not issued any additional statements.
A couple of weeks ago, Diachenko also discovered a leak of records information from Mindbody, one of the largest business management service providers in the US, as well as a data leak from a Maryland consultancy that handles funds for the Democratic Party.