Data of nearly 700,000 Amex India customers exposed via unsecured MongoDB server

Over 2.3 million user records were encrypted, but data for 700,000 customers was not.

The personal details of nearly 700,000 American Express (Amex) India customers have been accidentally left exposed online via an unsecured MongoDB server.

The leaky server, which was left exposed online without a password, was discovered three weeks ago by Bob Diachenko, Director of Cyber Risk Research at cyber-security firm Hacken.

Most of the data on the server appeared to have been encrypted and required a decryption key to view, but the researcher says 689,272 records were stored in plaintext and accessible to anyone who stumbled upon the database.

The plaintext records, Diachenko says, contained the personal details of Amex India customers, such as phone numbers, full names, email addresses, and card type description fields. The data isn't overly sensitive but could be more than useful to power a spam campaign.

On the other hand, the encrypted records, which totaled 2,332,115 entries, contained more personal information. Based on the MongoDB table's header, this included customer names, addresses, Aadhar numbers, PAN card numbers, and phone numbers.

Other tables (collections) inside the exposed MongoDB database also contained links and access details for accounts on the americanexpressindia.co.in domain.

"Upon closer examination, I tend to believe that the database was managed not by Amex but one their subcontractors responsible for SEO or lead generation," said Diachenko. "Many entries contained fields like 'campaignID', 'prequalstatus', 'leadID' etc."

Diachenko told ZDNet today that Amex India took down the leaky server on the same day he notified the company, albeit it remains unclear for how much time the server stood exposed online.

Nonetheless, Amex India said that a subsequent investigation did not discover any "evidence of unauthorized access," suggesting that Diachenko might have been the only one who accessed the server during its exposure.

Diachenko told ZDNet that he wasn't able to track down the SEO/lead generation company that managed the leaky server, and Amex India did not reveal this information either.

An Amex India spokesperson was not available for additional comments.

Two weeks before discovering the leaky Amex India server, Diachenko also discovered an unsecured ElasticSearch cluster that leaked millions of records from Mindbody, one of the biggest US wellness service providers. In addition, he also found a data leak at a Maryland consulting firm handling fundraisers for the Democratic party.

Related coverage: