National Credit Federation leaked US citizen data through unsecured AWS bucket

The National Credit Federation (NCF) has become the latest in a long list of companies to leave the sensitive, private data of customers exposed for all to see online.
According to Chris Vickery, UpGuard Director of Cyber Risk Research, the Tampa, Florida-based credit repair firm left 111GB of internal customer information on an Amazon Web Services S3 cloud storage bucket configured to allow public access without restriction.
More security news
Security 101: Here’s how to keep your data private, step by step
Windows security: New BSOD scam emerges from fake tech-support swamp
Enterprise phishing attacks surge but resiliency is on the rise
NSA’s Ragtime program targets Americans, leaked files show
In a blog post, Vickery said the discovery was made on 3 October, 2017.
Information on the server, potentially impacting tens of thousands of customers, included customer names, addresses, dates of birth, driver’s license and Social Security card scans, credit blueprints containing detailed financial histories, and full credit card and bank account numbers.
In addition, credit reports from Equifax, Experian, and TransUnion were found in the repository, and in some cases, multiple copies were discovered.
This is a huge amount of information which could be used by frausters and criminals to conduct identity theft and destroy their victim’s finances.
In order to access this information, all anyone needed to do was to enter the repository’s URL and download the files they wanted.
“National Credit Federation data was left entirely accessible to anybody accessing the repository’s URL, highlighting the vital urgency for enterprises to secure their data and validate their configurations against any such exposures,” the security researcher said. “This highly concentrated level of exposure, thoroughly revealing customer credit history several times over, serves to highlight the myriad dangers a single exposure can unleash.”
It is possible that up to 47,000 NCF customers have been impacted. The researcher says that the bucket’s subdomain, “crm-mvp,” likely refers to either customer relationship or customer record management, and the contents appear to back this theory as there are 47,000 files — most of them PDF and text files — which contain the information of customers.
“A conservative estimate of the number of NCF customers affected by this exposure would be below forty thousand individuals, all of whom needed help in restoring their finances,” Vickery says. “In short, these are people who needed and asked for assistance in getting their lives back on track, and were repaid, through a process still unknown, by having the information they furnished revealed online.”

Until UpGuard notified NCF of the discovery, the repository was in a state of constant update.
However, there is no indication at the moment that any attackers found and exploited this security failure.
See also: The 10 step guide to using Tor to protect your privacy
This is far from the first time that deeply sensitive and confidential information concerning US citizens has been leaked online.
Earlier this year, credit giant Equifax admitted to a data breach which exposed the data of roughly 145 million customers, including names, social security numbers, birth dates, home addresses and some driving license details, eventually costing the company $87.5 million in damage control.
Last year, a US government subcontractor, Potomac Healthcare Solutions, used an unsecured server to hold sensitive details belonging to active military healthcare professionals, which Vickery found to be open for the world to see.
In related news, this week, the contents of a hard drive belonging to a division of the US National Security Agency (NSA) was exposed online. The virtual disk image contained over 100GB of data relating to a military project dubbed “Red Disk,” and was left on an unlisted but public Amazon Web Services server.
ZDNet has reached out to the NCF and will update if we hear back.
Best gifts: Top tech for co-workers
1 – 5 of 21
Previous and related coverageNSA leak exposes Red Disk, the Army’s failed intelligence system NSA leak exposes Red Disk, the Army’s failed intelligence system Linus Torvalds: ‘I don’t trust security people to do sane things’
Related Topics:
Security TV
商业间谍与黑客参与搜索专利大战 APT攻击让提升员工信息安全意识
Data Management


CyberSecurity Law Introduction 网络安全法宣传视频系列
曝上港与两世界杯球队抢斯科拉里 斯帅该如何选?