Over 100GB of Secret Consumer Credit Data Leaked Online

Written by

Some 111GB of highly sensitive information including consumer credit histories has been exposed by the National Credit Federation as the result of yet another misconfigured Amazon Web Services (AWS) S3 cloud storage bucket.

UpGuard’s noted director of cyber risk research, Chris Vickery, made the discovery in early October. The cloud database was configured for public access, meaning anyone entering the repository’s URL could access and download the its contents.

Although the leak affected only around 40,000 consumers, the data concerned is highly sensitive, including credit reports from the big three agencies — Equifax, Experian and TransUnion.

“Exposed among the leaked files were such sensitive documents and details as customer names, addresses, dates of birth, driver’s license and Social Security card images, credit reports from all three major agencies, personalized credit blueprints containing detailed financial histories, and full credit card and bank account numbers,” explained UpGuard’s Dan O’Sullivan.

“How many more buckets of this type, containing the most compromising personal and financial details imaginable, are out there, totally unsecured and awaiting discovery by the first bad guy to find them?”

He argued that the leaked data could easily be used by hackers to commit identity theft.

The leak follows countless more before it, all the result of basic misconfiguration mistakes. Just this week another Pentagon snafu was revealed after UpGuard discovered highly classified data belonging to the United States Army Intelligence and Security Command (INSCOM).

In response to growing security concerns around the public cloud, Amazon Web Services this week launched GuardDuty, a new threat detection service also designed to spot misconfigurations.

However, experts argued the tool may not have the impact Amazon hopes.

“The problem is that Amazon can only scratch the surface of the real issue. Ultimately, GuardDuty is another source of data and alerts that can feed into SIEM, and simply giving more alerts doesn’t make organizations any more secure,” said Awake Security CEO, Michael Callahan.

“Ensuring those alerts are prioritized, investigated and resolved in a timely manner is the key. From a security analyst standpoint, it can be easy for more alerts to get lost in the noise they experience every day.”

What’s hot on Infosecurity Magazine?