Updated on December 26, 2017 by Dan O'Sullivan
Coming only months after the revelation that the personal information of over 143 million Americans had been stolen from the systems of credit agency Equifax, the UpGuard Cyber Risk Team has discovered a new, damaging exposure from within a financial firm, which, beyond revealing critical internal data, also exposes customer information compiled by all three major credit agencies. This highly concentrated level of exposure, thoroughly revealing customer credit history several times over, serves to highlight the myriad dangers a single exposure can unleash.
111 GB of internal customer information from National Credit Federation, a Tampa, Florida-based credit repair service, was left exposed in a publicly downloadable data repository, revealing to the public internet sensitive personal and financial information for tens of thousands of customers. Exposed among the leaked files were such sensitive documents and details as customer names, addresses, dates of birth, driver’s license and Social Security card images, credit reports from all three major agencies, personalized credit blueprints containing detailed financial histories, and full credit card and bank account numbers.
While there is fortunately nothing to indicate any such theft of data by malicious actors in this case, National Credit Federation data was left entirely accessible to anybody accessing the repository’s URL, highlighting the vital urgency for enterprises to secure their data and validate their configurations against any such exposures.
On October 3rd, 2017, UpGuard Director of Cyber Risk Research Chris Vickery discovered an Amazon Web Services S3 cloud storage bucket configured for public access, allowing any web user entering the repository’s URL to access and download the bucket’s contents. The bucket’s subdomain, “crm-mvp,” likely refers to “customer record management” or “customer relationship management,” theories seemingly corroborated by the repository’s contents: forty-seven thousand files, most of them PDF and text documents, containing the sensitive information of National Credit Federation customers.
The files appear to have been compiled during the process National Credit Federation customers go through with the firm, as described on the company’s website: initially, discussion with NCF representatives about the customer’s financial situation, followed by disputes of customer credit report items with the aim of improving the customer’s credit score. As such, three general pools of data live in the exposed repository: documents submitted by customers to NCF providing their personal and financial details, “personalized credit blueprints” and videos created by NCF for their customers, and customer credit reports from Equifax, Experian, and TransUnion - the “big three” credit reporting agencies.
The personal documents submitted by customers to NCF are expansive and highly sensitive; their exposure left tens of thousands of individuals entirely compromised against the threats of identity theft and financial attack. Photographs and scans of customers’ driver’s licenses, as well as completed forms and documents, provide sensitive personal details such as full names, dates of birth, addresses, and financial histories.
There are graver exposures within the repository. Photographs and scans of Social Security cards reveal full customer Social Security numbers, while other submitted documents contain full customer bank account and credit card numbers. All of this data could be easily used by malicious actors to steal identities and compromise the personal finances of NCF customers.
Content in the repository apparently created by NCF include personalized credit blueprints compiling a great deal of sensitive customer data in one form - everything from who owns a mortgage to how regularly a customer paid their credit card bills. Video files within the repository depict NCF employee computer desktops, recorded using a screenlogging program, as an employee accesses customer records and explains the significance. The videos appear to be specially made for individual customers, and are rife with the depiction of personally identifying information.
Finally, the repository contains thousands of customer credit reports compiled by Equifax, Experian, and TransUnion, running down the personal financial histories of each customer, in some cases multiple times.
The presence of Equifax credit reports within this exposed repository is an unfortunate echo of the credit agency’s breach earlier this year by malicious actors who succeeded in stealing the personal and financial details of virtually every American adult. While the scale of those affected by this incident is fortunately much smaller, the NCF data exposure is indication of just how widespread cyber risk is among small and mid-sized financial enterprises. The presence of third-party enterprises in this exposure, such as Equifax, further speaks to the increasingly chaotic conditions under which one enterprise’s exposure can wreak havoc across multiple entities. How many more buckets of this type, containing the most compromising personal and financial details imaginable, are out there, totally unsecured and awaiting discovery by the first bad guy to find them?
A conservative estimate of the number of NCF customers affected by this exposure would be below forty thousand individuals, all of whom needed help in restoring their finances. In short, these are people who needed and asked for assistance in getting their lives back on track, and were repaid, through a process still unknown, by having the information they furnished revealed online. The unsecured bucket was being continually updated until UpGuard’s discovery and subsequent notification of NCF, raising the specter of malicious actors simply sitting and waiting as a fresh supply of victims flowed into their grasp. This exposure could have affected you or a family member who chose to trust this enterprise with their data - an unavoidable choice for anybody seeking to participate in the economy today.
The total lack of protection of these people’s data, the remarkably simple means held by any internet user to find and download the information, and the sensitivity of the information contained therein, speaks to the real challenges of fostering cyber resilience today. Security ratings can begin to help consumers determine whether to trust an enterprise with their information, but this is not enough. In order to ensure that the pandemic of cloud leaks and data exposures of this kind is arrested, enterprises must become serious about investing time and resources into full visibility and control of their systems.
Misconfigurations are an internal problem that emanate from within the IT infrastructure of any enterprise; no hacker is necessary for massive damage to occur to digital systems and stored data. And the problem is pervasive, with Gartner estimating anywhere from 70% to 99% of data breaches result not from external, concerted attacks, but from internal misconfiguration of the affected IT systems.
Join the newsletter to receive UpGuard Breach Analysis post alerts via email
Cyber Risk Analyst
As a security researcher, Chris possesses a long track record of professional distinction and success discovering major data breaches and vulnerabilities across the cyber landscape. Previous achievements have included reports on the online exposure of hundreds of thousands of patient medical records, an illegal spam operation insecurely storing 1.4 billion target email addresses, a series of unsecured MongoDB databases which threatened the security of millions of internet users, and a publicly accessible database containing the voter registration records for 93.4 million Mexican citizens. As a researcher and analyst, Chris has helped to protect the most sensitive data of hundreds of millions of people, while raising awareness of the looming issues of cyber risk.
Cyber Resilience Analyst
Dan’s writing and journalism has appeared in VICE, Rolling Stone, Salon, The Daily Beast, Gawker, and Deadspin. His essay for Jacobin about labor exploitation in professional wrestling was anthologized in The Best American Sports Writing 2015. As a writer and analyst, Dan communicates the most important and relevant lessons of data breaches to both technically-proficient readers and to a general audience of those most affected by cyber risk.