Financial company leaks user passports

IKF Finance, an Indian non-banking finance company, leaked over three terabytes of sensitive customer and employee data, potentially exposing its entire user base.

A misconfigured MongoDB instance left over four million IKF Finance documents exposed to the public, the Cybernews research team has discovered.

Businesses employ MongoDB to organize and store large swaths of document-oriented information and, in IKF Finance’s case, various government-issued identification documents.

According to the team, the database was exposed for around a week before it was closed down. We have reached out to IKF Finance for comment yet did not receive a reply before publishing.

What IKF Finance data was exposed?

The exposed instance consisted of over four million documents of various types, and the overall size of the exposed database was over 3.3 terabytes. The instance contained a lot of sensitive customer and employee data, including:

  • Permanent account number (PAN) cards issued by India’s Income Tax Department
  • Aadhaar cards, India’s biometric identity document
  • Passports
  • Loan contracts
IKF Finance sample
Sample of the exposed data. Image by Cybernews.

The team also noted that the open instance contained plain-text access details to the IKF online application, potentially allowing malicious actors to review, approve, or decline loan applications.

“Not only does the breach compromise sensitive user information, but it also opens the door for fraudulent activities, putting users at risk of identity theft and financial harm,” our researchers said.

The extent of the exposed data suggests a severe lapse in the company’s cybersecurity measures, highlighting the need for a comprehensive investigation into the incident. Immediate action should be taken to secure the leak and protect affected users.

“The incident underscores the critical importance of robust data protection measures and the potential consequences of inadequate security practices in the digital age,” the team concluded.

More from Cybernews:

Check out this bitcoin hardware that bridges the digital and physical BTC worlds

Book review: Musk finds “extremely hardcore” ways to destroy Twitter

GPT4 used to translate medical jargon into layman’s terms

Agency in charge of US cybersecurity breached

Court makes it clear – age verification on adult sites is constitutional

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked