Data of Almost 700,000 Amex India Customers Exposed Online

Data about Amex India customers was exposed online via an unsecured MongoDB server. The 689,272 records included details like the customers’ names, phone numbers, email addresses, PAN card numbers, and the “type of card” description fields.

The breach was discovered by the cybersecurity firm Hacken on October 23 and announced by Bob Diachenko, Director of Cyber Risk Research, who contacted the American Express incident response team. The company has promptly secured the database from public access.

“5 Days in The Wild”

Seems like @AmexIndia exposed its #MongoDB for a while, with some really sensitive data (base64 encrypted). Now secured (just when I was preparing responsible disclosure), but question remains how long it was open. Found with @binaryedgeio engine. pic.twitter.com/3kbXaS4cIz

— Bob Diachenko (@MayhemDayOne) October 25, 2018

Amex’s MongoDB database was easy to access using the search engine Shodan and the BinaryEdge tool, a platform that scans data and exposes available databases. According to the cybersecurity expert, the data had been available for at least five days when he discovered the breach.

Bob Diachenko gave all the details of his discovery on the company’s blog:

“According to the search results from BinaryEdge.io, the database had been first indexed on 20th October meaning it had been in the wild for 5 days before I had spotted it!”

Diachenko added that the encrypted data included over 2.3 million records, most of them containing sensitive data, such as names, Aadhar numbers (the Indian equivalent of the SSN), PAN card numbers, addresses, and phone numbers.

A Subcontractor Caused the Breach

According to Bob Diachenko’s research, Amex India wasn’t directly in charge of the database, but one of the company’s subcontractors responsible for SEO or lead generation. Amex India told Hacken that there was:

“no evidence of unauthorized access.”

And that the database was securely encrypted.

Diachenko has a long history of unveiling MongoDB databases. Last December, he discovered a leak that exposed data belonging to 31 million users of Ai.type, a virtual keyboard for smartphones.

Bod Diachenko stated in 2017:

“The danger of having [an] unprotected MongoDB [database] is huge. In January 2017, 27,000—or roughly a quarter—of MongoDB databases left open to the internet were hit by ransomware, and again in September 2017 three groups of hackers wiped out an estimated 26,000 MongoDB databases. The cybercriminals demanded that the owners of those databases pay around $650 in Bitcoin to regain their data.”

India Has the Highest Number of Breaches

Data breaches happen more often than you think. Every hour, almost 262,000 data records are lost or stolen, according to the Breach Level Index.

In 2017, India was the country that registered the highest number of breaches in the world, with over 33,000 breached records. Despite the large number, the effects of a data breach in India cost less than in Western countries.

The Ponemon Institute’s 2017 Cost of Data Breach Study also revealed that the estimated probabilities of a data breach in India are 40.1%.

Featured image from Shutterstock.