MongoDB server exposes personal info on 700K Amex India customers

What could be more fateful than the fact that, an unsecured MongoDB server has exposed the personal data on 689,272 American Express India customers.

Bob Diachenko, director of cyber risk research at Hacken – The researcher who discovered the server said in a blog post that the bulk of the data – more than 2.3 million records – it housed was encrypted, requiring an encryption key but the nearly 700,000 customer records were in plaintext, exposing names, email addresses, phone numbers and card types.

Diachenko wrote. “I came to this conclusion since many of the entries contained fields such as ‘campaignID’, ‘prequalstatus’ and ‘leadID’ etc. Upon closer examination, I am inclined to believe that the database was not managed by AmEx itself but instead by one their subcontractors who were responsible for SEO or lead generation.”

The unprotected server is one in a long string of similar exposures. “There have been several instances in the past where MongoDB servers were compromised simply because they were being set up without proper authentication and, thus, were left open on the Internet,” said Rod Soto, director of security research at JASK. “The compromise workflow for these types of data leaks is simple. Sensitive information is left publicly available in a data repository due to poor developer practices – and essentially has a bullseye on it to be targeted by malicious actors that scan these repositories to find vulnerable ones and compromise valuable info.”

Soto said that “large data leaks like this Amex India instance should drive home how pivotal it is to take proper security precautions with all third-party services. If they’re not configured properly, they will continue to lead to massive data leaks.”