Federal police and banking records exposed by database leak in India

The open dataset held financial fraud investigation records alongside sensitive data such as bank account numbers, account holder names, and cases related to India’s Central Bureau of Investigations (CBI).

The Cybernews research team has discovered an open dataset containing over 33.5 million records. The 24GB-strong dataset contained highly sensitive information including bank account numbers, holder names and balances, as well as transaction types, destinations, and amounts. Researchers found records from over 200 Indian banks in the database.

The open dataset also held information on financial fraud investigations in India associated with the CBI, the country’s rough equivalent of the FBI tasked with conducting high-profile inquiries there.

Other cases found in the dataset included private companies that were investigated by local police and taken to court on charges of fraud. While it’s unclear who owns the dataset, the nature of the information in it suggests that it was being held by an Indian court or a private fraud investigation agency.

The open instances were discovered by the Cybernews team during a routine open-source intelligence (OSINT) investigation of Kibana and Elasticsearch, and have since been closed. They were hosted by French cloud computing company OVHcloud.

Highly sensitive data

The financial data could be used to illegally access user accounts and empty them of money. Researchers who uncovered the dataset also noted that information about financial fraud inquiries is particularly useful to threat actors, as some of this data allows scammers to approach people who have already fallen foul of fraud and thus proven themselves vulnerable to being cheated.

Screenshot as proof
The database included records from 207 Indian banks

"The database includes payment information, such as names, bank account numbers, payment descriptions, transferred amounts, and bank balances,” said Aras Nazarovas, a researcher at Cybernews. “Most of this data is considered material non-public information (MNPI) since it belongs to companies, not individuals. MNPI is the type of data that, if leaked, could affect a company's public perception or stock price.”

Other entries pertain to individuals and are considered non-public personal information (NPI), including names, bank transaction data, and court records.

"While attackers could not use this data alone to cause any damage, it can be used in combination with data gathered from other attacks,” Nazarovas added. “It can also be useful to attackers who want to find target accounts with high balances. Payment descriptions could be used to track a target's spending habits.”

This is the second case in recent times of cybersecurity researchers stumbling across leaking datasets exposing Indian citizens’ data. In early August, analyst SecurityDiscover found instances with close to 290 million records, including sensitive personal information on India’s residents, such as government-issued universal account numbers, bank details, and income data.

Around the same time, another major data incident in Asia came to light, when hackers put up for sale a massive database kept by police in Shanghai that allegedly included information on a billion Chinese citizens.