Financial company leaks user passports

IKF Finance, an Indian non-banking finance company, leaked over three terabytes of sensitive customer and employee data, potentially exposing its entire user base.

A misconfigured MongoDB instance left over four million IKF Finance documents exposed to the public, the Cybernews research team has discovered.

Businesses employ MongoDB to organize and store large swaths of document-oriented information and, in IKF Finance’s case, various government-issued identification documents.

According to the team, the database was exposed for around a week before it was closed down. We have reached out to IKF Finance for comment yet did not receive a reply before publishing.

What IKF Finance data was exposed?

The exposed instance consisted of over four million documents of various types, and the overall size of the exposed database was over 3.3 terabytes. The instance contained a lot of sensitive customer and employee data, including:

  • Permanent account number (PAN) cards issued by India’s Income Tax Department
  • Aadhaar cards, India’s biometric identity document
  • Passports
  • Loan contracts
IKF Finance sample
Sample of the exposed data. Image by Cybernews.

The team also noted that the open instance contained plain-text access details to the IKF online application, potentially allowing malicious actors to review, approve, or decline loan applications.

“Not only does the breach compromise sensitive user information, but it also opens the door for fraudulent activities, putting users at risk of identity theft and financial harm,” our researchers said.

The extent of the exposed data suggests a severe lapse in the company’s cybersecurity measures, highlighting the need for a comprehensive investigation into the incident. Immediate action should be taken to secure the leak and protect affected users.

“The incident underscores the critical importance of robust data protection measures and the potential consequences of inadequate security practices in the digital age,” the team concluded.