American Express India enabled a database to be accessible to anyone for longer than five days in October, according to a report in The Next Web.
According to the report, the Hacken cyber consultancy team’s director of cyber risk research, Bob Diachenko, discovered the unprotected database on Oct. 25, and told The Next Web that it included customer names, phone numbers, addresses, PAN numbers and Aadhaar IDs.
Diachenko said the database was mostly encrypted, but that certain data sets included readable data. The largest had 689,272 records available in plain text, noted the report. The researchers said the Amex MongoDB database had been available on BinaryEdge – a popular list of exposed databases – since Oct. 20, but potentially even longer.
The report noted that Amex’s database was already available to the public five days before Diachenko found it. Diachenko said that he found an additional 2.3 million records that were encrypted and were managed by a third-party company instead of Amex’s own team. Amex reportedly fixed the problem as soon as it received the alert, and said the encryption prevented any access and impact to customer data.
In October, American Express posted results that showed increases in card member spending and lending activity. Overall, billed business gained 8 percent to $294.7 billion, filings showed. (Billed business is defined as transaction volume, including cash advances.) The company said in its release that total card member spending was up 8 percent, and 10 percent when adjusted for FX.
In terms of headline numbers, American Express posted a profit of $1.88, which beat expectations by $.11. Revenues of $10.1 billion edged expectations of $10.05 billion. Discount fees, which are charged to merchants, stood at $6.2 billion, gaining 8 percent for the year. Top-line segmentation showed that total consumer services revenues, net of interest expense, was $5.4 billion, while commercial services was $3.2 billion.