On May 26th, I discovered a non-password protected database that contained what appeared to be millions of financial transactions. Upon further research I was able to connect the data to an Indian based microfinance bank called Jana Cash. I immediately followed a responsible disclosure policy and reported the discovery on a weekend hoping that someone would close access as soon as possible. On May 28th the datbase was closed and public access was restricted. The Jana Bank security team acted fast and professionally upon receiving my notice. It is unclear how long the data may have been exposed or who else may have had access to it.
According to their website: “Jana Small Finance Bank, Janalakshmi Financial Services, is headquartered in Bengaluru. It is one of the 10 financial institutions which had received in-principle approval from RBI, in 2015, to set up a Small Finance Bank. Established in Bengaluru in 2008, it went on to become the largest Micro Finance Institution (MFI) in India, and was recognized globally as one of the world’s innovative financial institutions working on the problem of financial inclusion”.
How sensitive was the data?
KYC or Know Your Customer laws require that that users verify who they are. This means users must share their personally identifiable information to comply with the rules. The bad part is the KYC verification information was stored in a publicly accessible database that anyone with an internet connection could access. Jana Bank requires one of the following:
· Aadhaar Card
· Voter Id
· Driver’s License
· PAN Card
- This is a Elastic database set to open and visible in any browser (publicly accessible) and anyone could edit, download, or even delete data without administrative credentials.
- Millions of records including KYC PII client information, wallet ID, usernames, emails, other account and transaction data.
- 2.6 Million Users and Transaction Records
- Internal records other details.
- IP addresses, Ports, Pathways, and storage info that cyber criminals could exploit to access deeper in to the network.
Microfinance is a growing industry in India where many people do not have bank accounts. Microfinance can provide loans or credit to individuals, small business owners, and entrepreneurs who otherwise would not be eligible in larger banks. The cost of these types of loans and interest rates are generally higher than that on traditional personal loans, but Indian law requires them to be pretty straight forward.
According to a Press Release in 2018:
“Janalakshmi Financial Services has touched the lives of 8 Million+ people over the past 9 years and plans to continue its endeavor towards financial inclusion for the coming years, in the form of a Small Finance Bank”.
UPDATE: The following message was provided by a representative of Janalakshmi Financial Services:
“We thank you for bringing this issue to our notice. This particular server was hosted by one of our vendors, and the product related to erstwhile Janalakshmi Financial Services. This was data loaded on test server by the vendor and they have acted immediately by shutting down the server and purging the data after your intimation. We take customer privacy and information security very seriously. Thank you again”
Providing loans and credit is important and a valuable service, but this is a wake up call for any organization who collects and stores user or customer data. There is an even higher standard when it comes to financial data because of the increased risk of fraud or theft. India has taken major steps to safeguard the data of it’s citizens in one of the fastest growing digital economies. The Personal Data Protection Bill of 2018 outlines a strict set of guidelines that companies must follow in regards to data protection and data leak reporting. Jana Bank has been in contact with Security Discovery and is taking action to make sure that data protection and security are a core part of their business going forward.