Jana Small Finance Bank Leaves Transactions Database Unsecured

  • 2.6 million of Jana Bank customers have had their sensitive data exposed.
  • The company has left one of its databases unprotected, accessible, and even editable by anyone.
  • The Elastic database has now been secured, but the company has not announced anything about the incident yet.

The Jana “small finance” bank has blundered, leaving a database that contained millions of financial transactions open for access by anyone, as they didn’t set up a password for it. The database was discovered by researcher Jeremiah Fowler on May 26, and upon further investigation, Fowler found the owner and reported the problem to them. The Jana Bank security team secured the database even if it was during the weekend, so at least they responded quickly and effectively.

Small finance banks like Jana are a kind of niche financial institutions in India, operating to provide basic banking services, accept deposits, and lend small business units, farmers, micro/small industries, and unorganized sector entities that are generally not served by regular banks. Jana is headquartered in Bengaluru and has been operating as a small finance bank since 2015. It is the largest Micro Finance Institution in India, has a national reach, and is globally recognized.

image source: securitydiscovery.com

All that said, the exposure is significant both qualitatively and quantitatively. On the whole, the number of exposed users and transaction records is 2.6 million. The type of the data that was contained in the unprotected Elastic database includes the bank’s clients PII, their wallet IDs, usernames, emails, account and transaction data, full history records, IP addresses, and the entire “KYC” (Know Your Customer) package. The KYC is a set verification data set that is required by Indian law for all banks and includes the Aadhaar number, voter ID, driver’s license, PAN card, and the passport.

image source: securitydiscovery.com

As the database was not protected in any way, attackers could download, edit, or delete the contained data without needing administrative credentials. However, the researcher found no signs of this having happened. Moreover, it is unclear if Jana Bank has sent breach notices to the affected clients or not, and there is no indication of anything bad had happened on their social media and official communication channels. The Personal Data Protection Bill that became Indian Law in 2018 dictates that they are obliged to inform both the affected people and the India authorities. According to Jana, they have served over 8 million people, so this breach affected a smaller portion, with the exact numbers remaining unknown right now (there could be duplicate entries in the database).

Have you received a notice from Jana Bank? Share it with us in the comments down below, or on our socials, on Facebook and Twitter.

How to Watch European Athletics Championships 2022 Online From Anywhere
The Athletics action is about to get underway at the 2022 European Championships, and we cannot wait to watch our favorite track...
How to Watch Legacy: The True Story of the LA Lakers Online From Anywhere
A new documentary series featuring LeBron James, Shaquille O'Neal, Magic Johnson, and more will soon premiere, and we're excited to watch it...
How to Watch Sky High Club: Scotland and Beyond Online From Anywhere
The show that tells the stories of the young crew members of the UK's largest regional airline will premiere soon, and we...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari