[BreachExchange] India’s Jana Bank Left KYC Customer Data Exposed

Fri Jul 26 10:02:05 EDT 2019

https://www.pymnts.com/news/b2b-payments/2019/jana-bank-kyc-data-breach/

A so-called “small finance” bank in India has reportedly left
sensitive data on 2.6 million of its customers exposed without
password protection, according to Security Discovery reports this
week.

Jana Bank, based in Bengaluru, was one of 10 financial institutions
approved in-principle by the Reserve Bank of India in 2015 to
establish as a so-called small finance bank — a bank that provides
basic services for consumers and small businesses, including accounts
and deposit acceptance, small business lending, and financial services
to farmers and other micro industries.

Designed to promote financial inclusion, these small finance banks
target SMBs that typically lack access to larger traditional financial
institutions.

Researcher Jeremiah Fowler first discovered an accessible database
that was eventually revealed to be owned by Jana Bank and included
sensitive customer data including Voter ID, driver’s license,
passport, PAN Card, transaction, email, username and other
information, part of the bank’s Know Your Customer verification
database.

According to Security Discovery, anyone could access, edit, alter,
delete or download the information without administrative credentials.

Separate reports in TechNadu this week said that Jana immediately
secured the database when Fowler informed the institution of the
problem. However, as Security Discover pointed out, damage may already
have been done: The database also included information on IP
addresses, storage info and other details “that cyber criminals could
exploit to access deeper into the network,” the publication said.

Security Discovery said that it was waiting on Jana to provide a full
statement in response to the reports, though noted that the bank
emphasized its dedication to customer security and vowed to correct
the issue. It’s unclear if any further action can or should be done as
the bank had already secured the database last month after it was
first notified of the issue.

Earlier this year the State Bank of India suffered a data breach,
exposing the data of millions of customers including bank balances and
transactions stemming from the FI’s messaging system SBI Quick.