Mistakes by AMEX left personal information of thousands of unsecured Indian customers


A database belonging to American Express India was available to all for more than five days in October.

The unprotected database, discovered by Hacken's cyber-consulting team, responsible for IT risk research, Bob Diachenko, on October 25, contained the names of Amex customers, their phone numbers, addresses, PAN numbers, and Aadhaar credentials.

Diachenko notes that the database was mostly encrypted, but several collections hosted on 'american expressindia.coin' also contained readable data. The largest of these had 689,272 records available in plain text.

The researcher said Amex's MongoDB database was available on Binaryedge – a popular list of exposed databases – since at least October 20. This means that Amex's database was already open five days when Diachenko found it.

Some files hosted on the Amex India website (links to which were also included in the exposed database) contained information on hundreds of thousands of plain-text clients.

Credit: Bob Diachenko

Diachenko said he found 2.3 million additional encrypted records. He also found that the database was managed by a third-party company instead of Amex's own team.

Amex cut off public access to the database as soon as Diachenko contacted them. The company then clarified that because of the encryption, there was no authorized access and no customer data was affected.

We have contacted Amex for additional information on this incident and will update the story accordingly.

MongoDB exposures are not uncommon. Last year, 31 million ai.key virtual keyboard users lost data due to a misconfigured database. MongoDB 3.6 comes with a feature that requires the administrator to explicitly connect the database to the Internet. Although we do not know if Amex was using this version, it is clear that Amex needs to pay more attention to its security practices.

Read more:

Here's how to take photos and videos that do not fear