Jana Small Finance Bank Leaves Transactions Database Unsecured

  • 2.6 million of Jana Bank customers have had their sensitive data exposed.
  • The company has left one of its databases unprotected, accessible, and even editable by anyone.
  • The Elastic database has now been secured, but the company has not announced anything about the incident yet.

The Jana “small finance” bank has blundered, leaving a database that contained millions of financial transactions open for access by anyone, as they didn’t set up a password for it. The database was discovered by researcher Jeremiah Fowler on May 26, and upon further investigation, Fowler found the owner and reported the problem to them. The Jana Bank security team secured the database even if it was during the weekend, so at least they responded quickly and effectively.

Small finance banks like Jana are a kind of niche financial institutions in India, operating to provide basic banking services, accept deposits, and lend small business units, farmers, micro/small industries, and unorganized sector entities that are generally not served by regular banks. Jana is headquartered in Bengaluru and has been operating as a small finance bank since 2015. It is the largest Micro Finance Institution in India, has a national reach, and is globally recognized.

database_contents
image source: securitydiscovery.com

All that said, the exposure is significant both qualitatively and quantitatively. On the whole, the number of exposed users and transaction records is 2.6 million. The type of the data that was contained in the unprotected Elastic database includes the bank’s clients PII, their wallet IDs, usernames, emails, account and transaction data, full history records, IP addresses, and the entire “KYC” (Know Your Customer) package. The KYC is a set verification data set that is required by Indian law for all banks and includes the Aadhaar number, voter ID, driver’s license, PAN card, and the passport.

database_entry
image source: securitydiscovery.com

As the database was not protected in any way, attackers could download, edit, or delete the contained data without needing administrative credentials. However, the researcher found no signs of this having happened. Moreover, it is unclear if Jana Bank has sent breach notices to the affected clients or not, and there is no indication of anything bad had happened on their social media and official communication channels. The Personal Data Protection Bill that became Indian Law in 2018 dictates that they are obliged to inform both the affected people and the India authorities. According to Jana, they have served over 8 million people, so this breach affected a smaller portion, with the exact numbers remaining unknown right now (there could be duplicate entries in the database).

Have you received a notice from Jana Bank? Share it with us in the comments down below, or on our socials, on Facebook and Twitter.

REVIEW OVERVIEW

Latest

How to Watch Chicago Blackhawks Games Online Without Cable

The Chicago Blackhawks are one of the most widely known teams in the NHL, with a lot of history and a fanbase...

How to Watch Pam & Tommy Online from Anywhere: Release Date, Cast, Plot, & Trailer

This biographical drama series surrounds the infamous controversial '90s tape of Motley Crue drummer Tommy Lee and then-wife actress Pamela Anderson that...

Attack On Titan Becomes Most “In-Demand” Series of 2021

Attack on Titan has indeed come a long way since the manga, by Hajime Isayama, first released in 2009. Of course, the...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari