More American financial data leaks from unsecured S3 bucket

The National Credit Federation left more than 100GB of identifiable information exposed

In a leak reminiscent of the Equifax hack, the American financial industry has seen another data breach; this one affecting as many as 40,000 people, after an unsecured Amazon S3 bucket belonging to the National Credit Federation (NCF) was left online.

The NCF is a credit repair service, which claims to be able to fix inaccurate information in credit histories. Considering the importance of a credit history in the USA, the company holds a huge amount of personal data from its customers, sourced from all three of the country's major credit agencies (Equifax, Experian and TransUnion).

A publicly-downloadable data repository, holding over 100GB of data, was left exposed, showing personal data on ‘tens of thousands' of customers to anyone who wanted it, says cyber resilience specialist UpGuard, which discovered the leak on the 3rd October.

‘Photographs and scans of customers' driver's licenses, as well as completed forms and documents… Photographs and scans of Social Security cards… [and] full customer bank account and credit card numbers' were exposed in the repository, UpGuard's Dan O'Sullivan wrote in a blog. In addition, ‘Video files within the repository depict NCF employee computer desktops, recorded using a screenlogging program, as an employee accesses customer records and explains the significance. The videos appear to be specially made for individual customers, and are rife with the depiction of personally identifying information.'

‘While there is fortunately nothing to indicate any such theft of data by malicious actors in this case, National Credit Federation data was left entirely accessible to anybody accessing the repository's URL, highlighting the vital urgency for enterprises to secure their data and validate their configurations against any such exposures,' O'Sullivan said.

The NCF continued to add new information to the open database until notified about the problem by UpGuard.

This leak, which holds similarities to the TigerSwan incident in September, demonstrates the dangers of the public cloud world, where companies often lack visibility and one company's mistake can expose customer details from third parties; in this case Experian, TransUnion and Equifax (again).