Around 700,000 customers of American Express India’s data was left exposed in an unsecured database. The accidental data leak was caused by a MongoDB server that was left exposed without any password protection. The unsecured database contained 689,272 records in plaintext and accessible to anyone on the internet.
According to Bob Diachenko, director of cyber risk research at Hacken.io, who discovered the breach, the database contained personal details of Amex India customers. The data exposed included full names, email addresses, phone numbers, card details and more. The database remained accessible to anyone on the internet for five days before Diachenko stumbled upon it.
“The encrypted data included 2,332,115 records which included names, addresses, Aadhar numbers (Indian government unique ID number), PAN card numbers and phone numbers,” Diachenko said in a blog. “Upon closer examination, I am inclined to believe that the database was not managed by AmEx itself but instead by one their subcontractors who were responsible for SEO or lead generation. I came to this conclusion since many of the entries contained fields such as ‘campaignID’, ‘prequalstatus’ and ‘leadID’ etc.”
Diachenko said that he alerted Amex and the firm has since secured the database. Amex also said that the database was not accessed by any unauthorized parties, indicating that the data may have stayed safe. However, this breach is just one among a long line of similar cloud misconfiguration breaches. It highlights how organizations can likely lose critical corporate and user data and serves as a reminder to implement robust security measures.