384M of Highly Sensitive Financial Records Exposed Online
Secure Thoughts collaborated with Security Expert Jeremiah Fowler to expose a serious leak of highly sensitive financial and credit data. Here are his findings:
On Jan 5th, 2021 I discovered 384 million records that contained names, ID numbers, payment, and billing records in plain text. This data breach exposed 45.5 GB of internal logging, customer, debt payment information, and much more. The data was stored on a US based Microsoft Azure cloud server. These highly sensitive records were publicly available to anyone with an internet connection.
Many of the folders or indices were labeled as “Production” and it was clear that this data should not have been exposed online. There were multiple references to Sistecredito and Credinet.co. Upon further research it was clear that this data was associated with payment, loans, credit, or installment payments.
What the database contained:
- Total Size: 45.6 GB / Total Docs: 384,114,287
- This database was set to open and visible in any browser (publicly accessible) and anyone could edit, download, or even delete data without administrative credentials.
- Exposed records that contain a large number of customers’ personally identifiable information (PII), including ID numbers.
- Highly sensitive credit, debt and payment data.
- Credit API data that included payments, cancelations, refinancing. Payment gateway data including token and security data.
- Database at risk for ransomware or a Meow bot attack.
- Kabana configuration records, IP addresses, Ports, Pathways, and storage info that cyber criminals could exploit to access deeper into the network.
As soon as I was able to validate the data and ownership, I immediately sent a responsible disclosure notice to multiple contacts @Sistecredito. Public access was restricted on Jan 5th, the same day as my notice and the following day on Jan 6th I received a reply:
“Thank you in advance for this information. We will immediately inform the appropriate authorities and we will take the necessary actions to prevent this from happening again”.
On the morning of Jan 7th I discovered another exposed database that contained the same information. I compared the data and determined that it also belonged to Sistecredito / Credinet. This would indicate that the data was exposed again on a different IP address. I suspect that they closed down the first instance and migrated to a new IP, but in the process left the same misconfiguration in place. I reached out again to notify them of the second exposure. Access was closed down immediately after my notice, but the most troubling part is the fact there were 2 separate data breaches one day apart.
This was one of the largest datasets of financial records I have seen in a very long time. There are a few reasons why big banks or merchant processors are not exposing data the way they were just a few years back. Unfortunately, many of them have experienced some form of a data breach early on, learned a valuable lesson, and then made data protection a priority. The FinTech industry overall has done a much better job of investing in data security after some very high profile data exposures, fines, and court settlements. As this discovery highlights there is still a long way to go to protect financial records.
What does Sistecredito Do?
Sistecrédito provides merchant and payment services to companies, businesses, and users. CrediNet offers both a mobile app called Sistecredito personas and a webportal that advertises quick payments of bills and debts for users. As a requirement for setting up the account users need to enter their citizenship card, immigration card, and document number. The Columbia based bill payment platform allows individuals and businesses to pay their credits. According to an article published in 2018, the total portfolio of Sistecrédito amounts to 145 billion pesos, of which 6% or 8.7 billion pesos are in arrears or behind in payments. Sistecrédito has 5,500 affiliated stores in the apparel sector in 150 municipalities of the country.
According to Sistecrédito’s FaceBook:
We are a company specialized in handling consumer credit for installment sales in commercial establishments. Since 1996, we have been developing and evolving its logistics and infrastructure with cutting-edge technology and highly qualified personnel. We serve consumer loans massively and from a Contact Center with state-of-the-art technology in its software, allowing us to serve any municipality in the national territory. Being a non-bank entity, our proposal is to provide the consumer with payment alternatives such as “Current Account” or “Personal Credit” in which the consumer has a means of deferred payment in installments. Our company is in charge of studying and assigning a rotating credit quota that will be used for purchases in affiliated commercial establishments.
Data is valuable no matter where users and customers are located in the world. From California to Columbia, in today’s digital life we all share the very real risks associated with having personally identifiable information and financial data exposed. In many cases the threat could be even more significant in countries that do not have a strong legal structure or law enforcement technology to focus on cyber crimes.
Potential Risks of Criminals Exploiting This Data
The danger of this kind of exposure is that criminals could exploit the information in the database to contact users and pretend to be with Sistecredito. Using a position of trust and having access to sensitive and privileged information could allow criminals to trick users to give them additional data, bank information, credit card numbers and more. Social engineering scams are among the most common and successful forms of fraud. Often victims believe they are communicating with a company they have a business relationship with. There is no hacking needed when data is left publicly exposed and criminals are very creative with how data is used.
Identity theft is another online privacy risk that could severely impact a users’ credit history or ability to obtain credit. The amount of information needed to create a complete loan or credit profile gave a very clear look into what data was collected and stored and how it is used. This included the date of their credits, how much they owe, how much they have paid, due dates, late or on time, and any fees that are associated with the payments. It also listed assurance taxes, down payments and a complete financial picture of the individual users and customers. Identity theft is a long term issue that can be a nightmare to try and prove that you are a victim of a crime and not a credit risk.
It is unclear how long the first dataset was exposed or who else may have gained access to these highly sensitive records. Sistecrédito acted fast and professionally to secure the data in both exposures. It is important that the affected individuals are aware of the data incident, online threats, and monitor any changes to their credit or debts. In any data breach I highly recommend that the company or organization conduct a cyber forensics audit to determine how many external IP addresses accessed their internal records remotely.