December 04, 2017

NCF: Sensitive, private customer data exposed online

National Credit Federation (NCF)

Among several major cases of data leaks, the most recent one appears to be that by the National Credit Federation (NCF), which reportedly left the sensitive, private data of customers—including credit card numbers; credit reports from three major reporting agencies Equifax, Experian, and TransUnion; bank account numbers; and Social Security numbers—exposed online.

NCF is a nationwide, membership-based organization which aims to help people who are currently in or have successfully come through a financial crisis and take back control of their finances and credit.

In this regard, Chris Vickery, Director of Cyber Risk Research at UpGuard (a cyber resilience startup company that determines a company's cyber-risk factors by scanning both internal and external computer systems), stated that NCF left 111GB of internal customer information on an Amazon Web Services S3 cloud storage bucket configured to allow public access without restriction. Notably, Vickery, who discovered the bucket, said that the discovery was made on October 3, 2017.

Information on the server potentially impacted tens of thousands of customers. Notably, the information included customer names, addresses, dates of birth, driver's license and Social Security card scans, credit blueprints containing detailed financial histories, and full credit card and bank account numbers. In some cases, multiple copies were discovered at the repository. This information could be sufficient enough for fraudsters to conduct identity theft and destroy their victim's finances. Until NCF was notified of the discovery, the repository was in a state of constant update.

To access this information, a fraudster would just have to enter the repository's URL and download the files he/she wanted.

According to Vickery, “The files appear to have been compiled during the process National Credit Federation customers go through with the firm, as described on the company's website: initially, discussion with NCF representatives about the customer's financial situation, followed by disputes of customer credit report items with the aim of improving the customer's credit score. As such, three general pools of data live in the exposed repository: documents submitted by customers to NCF providing their personal and financial details, ‘personalized credit blueprints' and videos created by NCF for their customers, and customer credit reports from Equifax, Experian, and TransUnion - the ‘big three' credit reporting agencies.”

Vickery then said, "National Credit Federation data was left entirely accessible to anybody accessing the repository's URL, highlighting the vital urgency for enterprises to secure their data and validate their configurations against any such exposures. This highly concentrated level of exposure, thoroughly revealing customer credit history several times over, serves to highlight the myriad dangers a single exposure can unleash."

This is believed to have impacted nearly 47,000 NCF customers. Of the 47,000 files in a “crm-mvp” subdomain, most were PDF and text documents with sensitive data on NCF customers. Vickery stated that the bucket's subdomain, "crm-mvp," likely refers to either customer relationship or customer record management.

Vickery further added, "A conservative estimate of the number of NCF customers affected by this exposure would be below forty thousand individuals, all of whom needed help in restoring their finances. In short, these are people who needed and asked for assistance in getting their lives back on track, and were repaid, through a process still unknown, by having the information they furnished revealed online."

Related Post

latest News

  • 25 miscellaneous matters to be heard on Tuesdays: SC

    The Supreme Court will hear twenty-five miscellaneous matters that are listed on Tuesdays.

    Read More
  • Corruption charges against Samsung heir, sentenced 5 years of imprisonment

    An accusation of making huge donations to a friend running a foundation and confidante

    Read More
  • FBI’s worldwide wave of arrests: 74 detained, over $16m in purloined funds seized from business email compromise fraudsters

    In a major International Operation sparking fear among online fraudsters, the Federal Bureau of Investigation (FBI) recently performed a worldwide wav...

    Read More