India’s Jana Bank Left KYC Customer Data Exposed

Security-breach

A so-called “small finance” bank in India has reportedly left sensitive data on 2.6 million of its customers exposed without password protection, according to Security Discovery reports this week.

Jana Bank, based in Bengaluru, was one of 10 financial institutions approved in-principle by the Reserve Bank of India in 2015 to establish as a so-called small finance bank — a bank that provides basic services for consumers and small businesses, including accounts and deposit acceptance, small business lending, and financial services to farmers and other micro industries.

Designed to promote financial inclusion, these small finance banks target SMBs that typically lack access to larger traditional financial institutions.

Researcher Jeremiah Fowler first discovered an accessible database that was eventually revealed to be owned by Jana Bank and included sensitive customer data including Voter ID, driver’s license, passport, PAN Card, transaction, email, username and other information, part of the bank’s Know Your Customer verification database.

According to Security Discovery, anyone could access, edit, alter, delete or download the information without administrative credentials.

Separate reports in TechNadu this week said that Jana immediately secured the database when Fowler informed the institution of the problem. However, as Security Discover pointed out, damage may already have been done: The database also included information on IP addresses, storage info and other details “that cyber criminals could exploit to access deeper into the network,” the publication said.

Security Discovery said that it was waiting on Jana to provide a full statement in response to the reports, though noted that the bank emphasized its dedication to customer security and vowed to correct the issue. It’s unclear if any further action can or should be done as the bank had already secured the database last month after it was first notified of the issue.

Earlier this year the State Bank of India suffered a data breach, exposing the data of millions of customers including bank balances and transactions stemming from the FI’s messaging system SBI Quick.