Inside American Express India cloud storage exposure

On 23rd October I discovered an unprotected Mongo DB which allowed millions of records to be viewed, edited and accessed by anybody who might have discovered this vulnerability.  The records appeared to be from an American Express branch in India.

It is important to note that no special programmes were used and I located these records by simply using IoT search engines such as Shodan and the newly created BinaryEdge.io.

According to the search results from BinaryEdge.io the database had been first indexed on 20th October meaning it had been in the wild for 5 days before I had spotted it!

Whilst most of the data was encrypted, several collections of data contained readable links and access details for services and accounts hosted on the  americanexpressindia.co.in domain including mobile numbers and names etc.

The largest non-encrypted collection of data contained 689,272 records which included Amex India customers’ phone numbers, names, email addresses, and ‘type of card’ description fields.

The encrypted data included 2,332,115 records which included names, addresses, Aadhar numbers (Indian government unique ID number), PAN card numbers and phone numbers.

Files hosted on the  AmEx India website (links to which were also included in the exposed database) contained detailed unencrypted information on hundreds of thousands of AmEx customers, incl. names, mobile phones, and PANcard numbers.

Upon closer examination, I am inclined to believe that the database was not managed by AmEx itself but instead by one their subcontractors who were responsible for SEO or lead generation. I came to this conclusion since many of the entries contained fields such as ‘campaignID’, ‘prequalstatus’ and ‘leadID’ etc.

Following my discovery, I immediately got in touch with the American Express incident response team and they have since secured the database from public access.

Furthermore, they have clarified that the MongoDB database was securely encrypted and there had been no evidence of unauthorized access to the environment where the data resides.

We applaud AmEx’s rapid response to this issue, noting they immediately took down that server upon notification and began further investigations.

Our takeaway from this is the importance of cybersecurity at every stage of your development process. It could even be argued that your development network must be one of your most secure networks since it contains your intellectual property.

As we learned from this incident, one never knows when transient firewall rules may inadvertently expose your development machines to the public.  In this case, it appears to have only exposed some long-lost personal information of an unknown number of AmEx India customers, but for others, it could be critical intellectual property or even your entire subscriber base that is at risk of being exposed.

If you require assistance with building a structured responsible disclosure program don’t hesitate to contact us for assistance.

The research was done by Bob Diachenko, Director of Cyber Risk Research at Hacken.