An unprotected MongoDB server exposed hundreds of thousands of American Express (Amex) India customers’ personal data, according to a researcher.
Bob Diachenko, Director of Cyber Risk Research at Hacken, discovered that the unsecured server was left visible online without a password exposing customers’ personal data like names, email addresses, phone numbers, and card details.
“On 23rd October I discovered an unprotected Mongo DB which allowed millions of records to be viewed, edited and accessed by anybody who might have discovered this vulnerability. The records appeared to be from an American Express branch in India,” Bob Diachenko stated in a blog post. “It is important to note that no special programmes were used, and I located these records by simply using IoT search engines such as Shodan and the newly created BinaryEdge.io.”
Most of the exposed data was encrypted but included 2,332,115 records with customers’ names, addresses, Aadhar numbers, PAN card numbers, and phone numbers hosted on the domain americanexpressindia.co.in. Diachenko also stated that the server was maintained by a subcontractor and not by Amex. The issue was immediately reported to the American Express incident response team. The American Express clarified that the MongoDB database was securely encrypted, and they’ve not found any unauthorized access to the exposed data.
“We applaud AmEx’s rapid response to this issue, noting they immediately took down that server upon notification and began further investigations,” Diachenko added.