Personal and financial data of thousands of Indian citizens was found to have been freely exposed on the Web by credit services firm Creditseva, according to Kromtech security researchers who first spotted the data breach.
Around 48,000 Indian citizens' critically sensitive data, including drivers' license, home addresses, credit reports, as well as pictures were left exposed by the Hyderabad-based fintech startup, in an insecure Amazon Web Service server. The breach comes on the heels of Jio's massive data breach that saw nearly 1 million users' data leaked, now considered to be one of the largest data breaches in India's history.
The data left exposed by Creditseva is gold dust for cybercriminals, who could potentially use them to engage in identity theft or other cybercrimes. The data could potentially have been easily accessed by any third party, including hackers
It still remains unclear as to how long the data was left exposed. It is also unclear whether Creditseva notified affected users about the breach. IBTimes UK has reached out to Creditseva, for clarity on the matter and is awaiting a response. Creditseva says it mainly employs a workforce of "talented millennials".
"It was another misconfigured Amazon S3 bucket that was not password protected, leaving thousands of Indian citizens vulnerable," Krometech security researcher Bob Diachenko told IBTimes UK. Diachenko said that his firm, which specialises in hunting for data breaches, alerted CreditSeva about the breach on 2 August and that the insecure Amazon S3 bucket was secured the very next day.
"The availability of open Amazon S3 buckets makes them very easy to access. So, in this particular case, if you know the address, you can view, download and even edit the files directly in your browser. No need to install additional clients or use sophisticated techniques," Diachenko told us. "By default, S3 buckets are set to the private access. However, for some reasons (perhaps, for easy sharing purposes internally) IT managers sometime manually set it to public access."
Breaches involving cloud configuration error are not uncommon. Several businesses in the past have experienced such breaches, caused by insecure Amazon web service servers. Most recently, Cisco admitted to losing some of its customers' data due to a cloud configuration error at Meraki, Cisco's subsidiary. So, what can businesses do to ensure that they do not become victims of such incidents?
Diachenko says that businesses using the Amazon cloud infrastructure "must ensure there aren't any publicly accessible S3 buckets." Diachenko recommended that organisations must ensure that the permissions in Amazon cloud infrastructure's account not be left at its default "everyone" setting. This essentially would allow any third party to access the S3 data.
"A publicly accessible S3 bucket allows full control access to everyone (i.e. anonymous users) to read the objects within the bucket, upload/delete objects, view object permissions and edit object permissions," Diachenko said.
Creditseva stemmed from Singapore's startup scene and boasts of firms such as Singapore government-owned SGInnovate and venture capital firm Pix Vine Capital. According to a report by ET, Creditseva's other investors include Dennis Wong, former head of global API Platform at PayPal and Vikram Sud, former APAC O&T head at Citibank.
Following publication of this article, one of Creditseva's investors, Singapore's Startupbootcamp, responded to our queries, on behalf of Creditseva.
"Creditseva takes these matters extremely seriously and the security of our customers data is our number one priority. There is no evidence at this time to suggest that there has been any form of data breach. Our customers can rest assured that our database and application is secure and their data is protected," an emailed statement stated.
While the statement does not accept that an actual breach occurred, it skirts the issue of whether user data was left exposed because of a cloud server misconfiguration, as alleged by Kromtech researchers.
India's cyber laws currently have very vague and limited clauses on reporting breaches to either the government or users. According to security experts, unlike in the West, companies in India have no legal obligation to disclose data breaches.
Pranesh Prakash, policy director at the Centre for Internet and Society, told Reuters in the aftermath of the Jio data breach early in July: "A rule to report breaches exists, but it is unenforceable. It says you're not liable if you're following reasonable security practices. What 'reasonable' means is not defined."
"We don't have full-menu data protection laws," said Apar Gupta, a Supreme Court lawyer working on data privacy issues. "We don't even have an institutional framework or expert body to implement the limited data protection regulations that do exist. It's so limited it's more accurate to say no law exists."