- Unsecured Mongo DB server was discovered containing personal data of around 70,0000 American Express India customers.
- The Unsecured server was discovered by security researcher Bob Diachenko.
- The records were stored in plain text and were able to view, edited and accessed by anyone.
- The researcher notified the company about the incident and the server was secured.
Security researcher has discovered an unsecured Mongo DB server containing personal information around 70,0000 American Express (Amex) India customers.
The unprotected server was discovered by Bob Diachenko, Director of Cyber Risk Research at Hacken.
In the server, it contains more than 2.3 million records in which most of the data were encrypted and required a decryption to access it but 689,272 records were stored in plain text and can be viewed, edited and accessed by anyone.
The exposed contains personal data of Amex India customers such as phone numbers, names, email addresses, and ‘type of card’ description fields.
The encrypted data includes 2,332,115 records containing information such as names, addresses, Aadhar numbers, PAN card numbers and phone numbers.
“Files hosted on the AmEx India website (links to which were also included in the exposed database) contained detailed unencrypted information on hundreds of thousands of AmEx customers, incl. names, mobile phones, and PANcard numbers.”
According to the search results from BinaryEdge.io the database was indexed on 20th October and the researcher discovered the database on 23 October 2018.
On further analysis, the researcher discovered that the database was managed one of the subcontractors of Amex who managed Seo.
The researcher notified American Express about the issue and they immediately secured the database.
The company also said they did not find any evidence of any misuse or unauthorised access to the server.
You may be interested in reading:Cathay Pacific Airline Announces Data Breach Affecting 9.4 million Passengers