- 2.6 million of Jana Bank customers have had their sensitive data exposed.
- The company has left one of its databases unprotected, accessible, and even editable by anyone.
- The Elastic database has now been secured, but the company has not announced anything about the incident yet.
The Jana “small finance” bank has blundered, leaving a database that contained millions of financial transactions open for access by anyone, as they didn’t set up a password for it. The database was discovered by researcher Jeremiah Fowler on May 26, and upon further investigation, Fowler found the owner and reported the problem to them. The Jana Bank security team secured the database even if it was during the weekend, so at least they responded quickly and effectively.
Small finance banks like Jana are a kind of niche financial institutions in India, operating to provide basic banking services, accept deposits, and lend small business units, farmers, micro/small industries, and unorganized sector entities that are generally not served by regular banks. Jana is headquartered in Bengaluru and has been operating as a small finance bank since 2015. It is the largest Micro Finance Institution in India, has a national reach, and is globally recognized.
All that said, the exposure is significant both qualitatively and quantitatively. On the whole, the number of exposed users and transaction records is 2.6 million. The type of the data that was contained in the unprotected Elastic database includes the bank’s clients PII, their wallet IDs, usernames, emails, account and transaction data, full history records, IP addresses, and the entire “KYC” (Know Your Customer) package. The KYC is a set verification data set that is required by Indian law for all banks and includes the Aadhaar number, voter ID, driver’s license, PAN card, and the passport.
As the database was not protected in any way, attackers could download, edit, or delete the contained data without needing administrative credentials. However, the researcher found no signs of this having happened. Moreover, it is unclear if Jana Bank has sent breach notices to the affected clients or not, and there is no indication of anything bad had happened on their social media and official communication channels. The Personal Data Protection Bill that became Indian Law in 2018 dictates that they are obliged to inform both the affected people and the India authorities. According to Jana, they have served over 8 million people, so this breach affected a smaller portion, with the exact numbers remaining unknown right now (there could be duplicate entries in the database).