An unprotected MongoDB instance exposed over 450,000 Delhi citizens’ private data

• The leaky MongoDB instance exposed private data of over 450,000 individuals residing in Delhi, India.
• The exposed data included individuals personal data such as Aadhaar numbers, voter card numbers, ration card numbers, designation, means of transportation, health conditions, and education.

A security researcher Bob Diachenko detected an unsecured MongoDB that was publicly available without any password protection. The leaky MongoDB instance exposed private data of 458,388 individuals residing in Delhi, India.

The unprotected database was 4.1 GB in size and was named ‘GNCTD’ which also stands for Government of National Capital Territory of Delhi. The exposed data included individuals personal data such as Aadhaar numbers, voter card numbers, ration card numbers, designation, means of transportation, health conditions, monthly income, and education.

What information was exposed?

The MongoDB contained the following records,

• EB Registers
• EB Users (14,861)
• Households (102,863)
• Individuals (458,388)
• Registered Users (399)
• Users (2,983)

The ‘Households’ record contained fields such as name, house no, floor number, geolocation, area details, email_ID of a supervisor, is the household cooperating for survey field, type of latrine, functional water meter, ration card number, internet facility available, and informan name field.

The ‘Individuals’ record contained individuals’ personal information such as Aadhaar numbers, voter card numbers, health conditions, education, designation, monthly income, etc.

Who does it belong to?

The security researcher analyzed the unsecured MongoDB and found connections to a company named ‘Transerve’. Diachenko also noted that the ‘Users’ and ‘Registered Users’ records had references and emails with ‘transerve.com’ domain.

Upon learning, Diachenko immediately contacted Transerve via email and notified about the unprotected MongoDB instance. However, the security researcher did not get any response from the company.

What actions were taken?

Later, Diachenko notified CERT India about the leaky database containing personal details of Delhi residents. CERT is the Indian Computer Emergency Response Team that deals with cybersecurity threats such as hacking and phishing. Consequently, the leaky database was secured and taken offline.

“The danger of having an exposed MongoDB or similar NonSql databases is a huge risk. We have previously reported that the lack of authentication allowed the installation of malware or ransomware on thousands of MongoDB servers,” Diachenko noted in a blog.

“The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges. Once the malware is in place criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains,” the security researcher added.