An unsecured MongoDB server has exposed personal data on 689,272 American Express India customers.
The researcher who discovered the server, Bob Diachenko, director of cyber risk research at Hacken, said in a blog post the bulk of the data – more than 2.3 million records – it housed was encrypted, requiring an encryption key but the nearly 700,000 customer records were in plaintext, exposing names, email addresses, phone numbers and card types.
Upon closer examination, I am inclined to believe that the database was not managed by AmEx itself but instead by one their subcontractors who were responsible for SEO or lead generation,” Diachenko wrote. “I came to this conclusion since many of the entries contained fields such as ‘campaignID’, ‘prequalstatus’ and ‘leadID’ etc.”
The unprotected server is one in a long string of similar exposures. “There have been several instances in the past where MongoDB servers were compromised simply because they were being set up without proper authentication and, thus, were left open on the Internet,” said Rod Soto, director of security research at JASK. “The compromise workflow for these types of data leaks is simple. Sensitive information is left publicly available in a data repository due to poor developer practices – and essentially has a bullseye on it to be targeted by malicious actors that scan these repositories to find vulnerable ones and compromise valuable info.”
Soto said that “large data leaks like this Amex India instance should drive home how pivotal it is to take proper security precautions with all third-party services. If they’re not configured properly, they will continue to lead to massive data leaks.”