A recently disclosed data leak impacts around 700,000 AmEx India customers, exposing Personally Identifiable Information (PII) like Names, Emails & Telephone numbers. This leak highlights the perils of Shadow IT, and why organizations should look into building a continuous digital risk monitoring program. Here’s a brief on what you need to know:
What Was Exposed?
An unprotected MongoDB instance, containing nearly 3 Million records, of which roughly 700,00 were unencrypted, containing PII like Name, Email, Phone numbers etc.
As per Bob Diachenko, from Hacken, who discovered the leak on 23rd October : “Files hosted on the AmEx India website (links to which were also included in the exposed database) contained detailed unencrypted information on hundreds of thousands of AmEx customers, incl. names, mobile phones, and PANcard numbers.”
Lax security practices by one of Amex’s vendors handling SEO or Lead Generation was highlighted as probable cause by Bob, who mentions: “Upon closer examination, I am inclined to believe that the database was not managed by AmEx itself but instead by one their subcontractors who were responsible for SEO or lead generation. I came to this conclusion since many of the entries contained fields such as ‘campaignID’, ‘prequalstatus’ and ‘leadID’ etc.” . The vendor remains unidentified so far.
How Was it Discovered?
The leak was discovered using publicly accessible IoT search engines like Shodan and BinaryEdge. Based on queries on the IoT search engines, Bob was able to identify an exposed MongoDB server running on a public IP, containing data which appeared to belong to Amex, and was later confirmed through manual analysis. The data was indexed at least 5 days before discovery.
Similar Data Leaks in the Past:
Misconfigured, publicly accessible IT infrastructure leaking sensitive data has become a common occurrence and has led to several leaks in the past, including ones impacting Verizon Wireless, Booz Allen, Accenture etc. This infrastructure is often referred to as “Shadow IT”, i.e. IT infrastructure which might not be in IT’s radar, due to various reasons (e.g.: Marketing applications put up online without informing IT). Shadow IT infrastructure often also includes misconfigured cloud infrastructure which organizations might be using (e.g.: S3 Buckets) and may be managed by the organization’s vendors (like in the case of Amex).
What Can Organizations Do About It?
Get a Complete Understanding of Organizations’ Digital Attack Surface: Most organizations do not have a complete view of their digital attack surface. Common gaps include an incomplete list of domains, subdomains, Server / IPs, IoT, 3rd Party Services etc. A single unsecured server can lead to a catastrophic breach.
Continuously Monitor for Digital Risks: Digital assets go online and offline continuously. Digital assets need to be continuously monitored to minimize the window of exposure. In the era of DevOps, organizations should have complete visibility on a near real-time basis on what assets are getting exposed.
Include Vendors as Part of Digital Risk Monitoring: Organizations often neglect vendors from the purview of security monitoring, relying on questionnaire-based assessments, which is grossly insufficient. Progressive organizations are leveraging OSINT (Open Source Intelligence) to monitor their vendors and minimize the risks.
FireCompass is the new way to define and secure organizations’ perimeters
FireCompass indexes the entire global internet to discover the unknown attack surface of an organization which is exposed on the internet. It creates an asset inventory of all your publicly exposed applications & services. This big picture is delivered via web-based software, APIs, and executive reporting.
FireCompass is a SaaS platform for Continuous Automated Pen Testing, Red Teaming and External Attack Surface Management (EASM). FireCompass continuously indexes and monitors the deep, dark and surface webs using nation-state grade reconnaissance techniques. The platform automatically discovers an organization’s digital attack surface and launches multi-stage safe attacks, mimicking a real attacker, to help identify breach and attack paths that are otherwise missed out by conventional tools.
Feel free to get in touch with us to get a better view of your attack surface.