Cybersecurity firm UpGuard said it has discovered what it called “new and damaging exposure” from within a financial firm, which, beyond revealing critical internal data, also exposes customer information compiled by all three major credit agencies.
111 GB of internal customer information from National Credit Federation, a Tampa, Florida-based credit repair service, was left exposed in a publicly downloadable data repository, revealing to the public internet sensitive personal and financial information for tens of thousands of customers, according to UpGuard.
The leaked files included sensitive documents and details as customer names, addresses, dates of birth, driver’s license and Social Security card images, credit reports from all three major agencies, personalized credit blueprints containing detailed financial histories, and full credit card and bank account numbers, the security researchers stated.
UpGuard Director of Cyber Risk Research Chris Vickery in October discovered an Amazon Web Services S3 cloud storage bucket configured for public access, allowing any web user entering the repository’s URL to access and download the bucket’s contents.
The bucket’s subdomain, “crm-mvp,” likely refers to “customer record management” or “customer relationship management,” theories seemingly corroborated by the repository’s contents: forty-seven thousand files, most of them PDF and text documents, containing the sensitive information of National Credit Federation customers.
Photographs and scans of Social Security cards reveal full customer Social Security numbers, while other submitted documents contain full customer bank account and credit card numbers. All of this data could be easily used by malicious actors to steal identities and compromise the personal finances of NCF customers.
This exposure comes three months after Atlanta-based credit monitoring giant Equifax revealed data impacting 145 million Americans had been stolen from their servers, and Uber recently revealed a major hack from 2016.