Personal data of nearly 700,000 Amex India
customers exposed online via a mongo DB server, which was left unsecured
unintentionally. The unsecured online server discovered as password less three
weeks ago by Bob Diachenko, Director of Cyber Risk Research at cyber-security
firm Hacken.
Most of the data in the server appeared as
encrypted format and you have to put decryption key to access and read the
data, but the researcher said 689,272 records were stored in plain text and
anybody could have access online of those information.
Diachenko says, the plaintext records
contain personal informations of customers like full name, phone number,
address, and card type in description field. However these data is not so
useful to do any compromise but it is more than enough to run a spam campaign.
On the other side the encrypted record,
which summed as 2,332,115 entries. Which contains more information based on
mongo DB table header. Such as customer full name, Adhar Number, addresses, PAN
card numbers and phone numbers.
"Upon closer examination, I tend to
believe that the database was managed not by Amex but one their subcontractors
responsible for SEO or lead generation," said Diachenko.
Nonetheless, Amex India claimed that investigation
did not discover any "evidence of unauthorized access," suggesting
that Diachenko could have been the only person who accessed the server during
its exposure.
Diachenko also found an unsecured Elastic
Search cluster, which contains millions of records of Mindbody (one of the largest wellness service provider in US), just two weeks before discovering the
vulnerable Amex server. He also found data leaks from Maryland consulting firm
well known for the fundraiser for the Democratic party.
0 comments:
Post a Comment