The personal and financial data of about 40,000 Americans has leaked on the Web via an unsecured Amazon Web Services S3 bucket, the security firm UpGuard reports.
The data, from the Tampa-based credit repair service National Credit Federation, included customer names, addresses, dates of birth, driver’s licence and Social Security card images, credit reports from all three major agencies, personalised credit blueprints containing detailed financial histories, and full credit card and bank account numbers.
UpGuard's director of Cyber Risk Research, Chris Vickery, found the data on 23 October, a total of 47,000 files, mostly PDF and text documents.
There were three general kinds of documents found: documents submitted by customers with personal and financial details, “personalised credit blueprints” and videos created by NCF for their customers, and customer credit reports from Equifax, Experian, and TransUnion – the “big three” credit reporting agencies.
{loadposition sam08}A leak at Equifax revealed the details of 143 million Americans in July. The leak was reported only in September.
An UpGuard blog post said the personal documents submitted by NCF customers were "expansive and highly sensitive; their exposure left tens of thousands of individuals entirely compromised against the threats of identity theft and financial attack. Photographs and scans of customers’ driver’s licences, as well as completed forms and documents, provide sensitive personal details such as full names, dates of birth, addresses, and financial histories".
The available data could easily be used for identity theft and compromise of personal finance histories of the people involved, UpGuard said.
Apart from this data, video files within the repository depicted NCF employee computer desktops, which had been recorded using a screenlogging program, as an employee accesses customer records and explains the significance.
"The videos appear to be specially made for individual customers, and are rife with the depiction of personally identifying information," UpGuard added.
In the past, UpGuard has found misconfigured Amazon Web Services S3 buckets leaking data from the NSA, the Pentagon, global corporate consulting and management firm Accenture, publisher Dow Jones, a Chicago voter database, a North Carolina security firm, and a contractor for the US National Republican Committee.