Governance & Risk Management , IT Risk Management , Risk Assessments
Unsecured Database Exposes Financial Records: Report
Researcher Says S3 Bucket Linked to Advantage Capital Funding, Argus Capital FundingAn unsecured Amazon Web Services S3 bucket left 425 GB of sensitive financial data, including credit reports, bank statements and more, exposed to the internet, according to a VPNMentor researcher.
The database, which contained approximately 500,000 private legal and financial documents, was linked, in part, to a mobile financial application called MCA Wizard, which launched in January 2018 but is now no longer available on either the Apple or Google app stores, according to the report.
Two financial firms, Advantage Capital Funding and Argus Capital Funding, developed the MCA [Merchant Cash Advance] Wizard app, the report states. The financial tool was used to provide short-term, high-interest loans, as well as credit advances, to small businesses, the researcher says.
In the report, Noam Rotem, a self-described security researcher and hacktivist, notes that the unsecured database, which lacked passwords and encryption, contained financial data that appears to have come from Advantage Capital Funding and Argus Capital Funding - it's not clear what connection, if any, the data had to the MCA Wizard app.
The exposed data included credit reports; bank statements; contracts; legal paperwork; driver’s licenses; purchase orders and receipts; tax returns; transaction reports for credit cards and merchant bank accounts; scanned copies of bank checks; access information for bank accounts; corporate shares outlines; and Social Security information, according to the report.
"These files didn’t just compromise the privacy and security of Advantage and Argus, but also the customers, clients, contractors, employees and partners," according to the report. While the data was exposed to anyone who had internet access and the web address, Rotem does not say if any of the information was stolen or offered for sale on dark net forums. The report also does not indicate how long the data may have been exposed
Discovery Process
Rotem and fellow researcher Ran Locar are working on a large-scale web mapping project that is using port scanning techniques to look at various known IP blocks and addresses. During this project, they have found weaknesses and data leaks in numerous files and systems that are stored in the cloud and exposed to the internet (see: Unsecure Database Exposed US Military Personnel Data: Report).
Rotem says he first discovered the exposed Advantage Capital Funding and Argus Capital Funding database on Dec. 24, 2019. He then contacted the two financial firms on Dec. 30 to alert them that their data had possibly been exposed, according to the report.
After several unsuccessful attempts to reach Advantage Capital Funding and Argus Capital Funding, Rotem then contacted AWS on Jan. 7, and access to the database was closed off and password protected two days later, the report states.
Rotem notes that while the exposed database's URL contained files related to "MCA Wizard," most of the files appeared to have come from Advantage Capital Funding and Argus Capital Funding, with little or no connection to the app. The report notes that data was still being uploaded to the S3 bucket even after the mobile app was no longer available for download.
The two companies were could not be reached for comment.
Other Databases
Rotem and other researchers have made other discoveries of unsecured databases that have left thousands of records exposed.
In February, for example, Rotem and Locar discovered an unsecured database belonging to French tech firm NextMotion exposed content on 900,000 patients (see: Plastic Surgery Database Exposed: Researchers).
In November 2019, the two researchers found unsecured AWS servers of restaurant payment app PayMyTab that left payment card and other customer data exposed (see: PayMyTab Exposes Restaurant Customer Data: Report).