Indian Credit Services Company Exposed Thousands of Customer Files

Kromtech Security Center researchers have discovered a trove of personal data that appears to be connected to the Indian based credit services company CreditSeva (creditseva.com).

After a series of news which covered the importance of keeping online repositories secured, we again ran a custom check on several most common suffixes used for S3 domain names creation and were surprised to see, how many of those are wide open, streaming data to the public internet.

In this instance Kromtech Security Center researchers discovered a misconfigured Amazon S3 bucket that was not password protected, leaving thousands of Indian citizens vulnerable. It is unclear how long the misconfigured data was publically available or who else had access to it.

The availability of open Amazon S3 buckets makes them very easy to access. So, in this particular case, if you know the address you can view, download and even edit the files directly in your browser. No need to install additional clients or use sophisticated techniques. 

By default, S3 buckets are set to the private access. However, for some reasons (perhaps, for easy sharing purposes internally) IT managers sometime manually set it to public access.


Bob Diachenko, chief security communications officer at Kromtech Security Center: "In order to protect your S3 data from loss and unauthorized access, each company and individual using Amazon cloud infrastructure must ensure there aren't any publicly accessible S3 buckets available in account  A publicly accessible S3 bucket allows full control access to everyone (i.e. anonymous users) to list (read) the objects within the bucket, upload/delete (write) objects, view object permissions and edit) object permissions

"We at Kromtech Security Center strongly recommend against using all these permissions for the “Everyone” ACL predefined group in production".

We all know that you need a good credit score to obtain loans and get the best interest rates, but what if that data is leaked online? To obtain a credit report or monitor someone’s soore they must provide the same personal data that a criminal would need to engage in identity theft or other cyber crimes.

Any company or service that deals with sensitive customer data must take every precaution to protect customer data and how they store it.

Estimated number of customers who had their scanned data exposed is around 48 thousands. 

According to their website: “Data Security - Our expert Information Security team helps to improve network Infrastructure quality. Completely secured Data - Secured Data on ISO 27001 compliant, world class data network infrastructure. Highly secured - Bank level data security with 128 Bit encryption on all transactional data”. However, researchers were able to see thousands of scanned ID cards, home addresses, credit reports, accounts, and even pictures of customers.  

Some of the folders contain a substantial number of private files:

Logs: 156,418

User Uploads: 48,643+

Alex Kernishniuk, VP of strategic alliances at Kromtech: "This discovery comes on the heels of another data leak in July when the telecom company Jio leaked the data of an estimated 100 million customers. Cyber security analysts have said that leak may be the first large-scale breach of an Indian telecom firm. Once again it is a warning sign for companies big or small to audit their infrastructure and how they manage sensitive data".

 

 


Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.

Do you have security tips or suggestions? Contact: security@kromtech.com

You may also like

Ashley Madison's Private Picture Aren't That Private Virtual Keyboard Developer Leaked 31 Million of Client Records Location Intelligence Company Leaks Repositories Full of Data Online