- The Jana Bank had a publicly accessible database that held records of millions of financial transactions.
- The data also contained internal records and other details such as IP addresses, Ports and Pathways.
An unprotected database belonging to Jana Small Finance Bank was found leaking millions of transaction-related data of its customers. This discovery was made by security researcher Jeremiah Fowler. According to Fowler, he came across the database on May 26, 2019, which was associated with a portal called Jana Cash. However, after contacting the bank, the database was closed and restricted for public access.
Jana Small Finance Bank is an Indian banking firm based in Bengaluru. It is one of the largest Micro Finance Institution (MFI) in India.
- The leaky database was identified to be an open Elasticsearch database that could be accessed without any credentials.
- It had around 2.6 million records which included personally identifiable information, wallet ID, usernames, emails, and other transaction-related data. In addition, it also contained internal records.
- IP addresses, Ports, Pathways, and storage information were also found.
In his blog, Fowler states that the database held personally identifiable information including Know Your Customer (KYC) information. “The bad part is the KYC verification information was stored in a publicly accessible database that anyone with an internet connection could access. Jana Bank requires one of the following: Aadhaar Card, Voter Id, Driver’s License, PAN Card, Passport,” he explained.
It is unclear whether Jana Small Finance has notified all the affected customers regarding this data exposure incident. With microfinance growing significantly in India, institutions that provide these services can be a prime target for attackers if there are lapses in security.