Security researchers at VpnMentor recently discovered a massive exposure of sensitive legal and financial documents online that were stored in an AWS database operated by two finance companies based in New York.
According to the researchers, the database appeared to be linked to MCA Wizard, an iOS and Android app developed and run by two New York-based finance companies named Advantage Capital Funding and Argus Capital Funding who offered "Merchant Cash Advance" such as loans and credits to small business owners.
The unsecured S3 database was found on Amazon Web Services in December 2019 and the researchers noted that it was not protected by any encryption, authentication or access credentials, which led to unrestricted access to anyone with an Internet connection and the S3 bucket's address.
Though the URL of the database contained MCA Wizard, most files were not related to the application run by the two finance companies. Instead, it contained over 500,000 documents, totalling 425GB of unprotected data.
The wide range of documents in the database included credit reports, bank statements, contracts, legal paperwork, driver’s licenses, purchase orders and receipts, tax returns, transaction reports for credit cards and merchant bank account, scanned copies of bank cheques, access information for bank accounts, corporate shares outline and Social Security information.
“Throughout our research, files were still being uploaded to the database, even though MCA Wizard seems to have been closed down. Finally, when we tried to contact both companies, we were unable to do so. Argus does not provide a contact email, while our emails to Advantage’s contact address failed to deliver,” they added.
Public access to the exposed database was finally closed on 9 January after the researchers contacted AWS directly, having failed to elicit any response from the two finance companies.
Strict GDPR penalties and controls required to prevent the exposure of sensitive data
In response to data exposure, Javvad Malik, Security Awareness Advocate at KnowBe4, said that “cloud databases have made it increasingly cost-effective and convenient to store, process, and share, large amounts of data quickly and efficiently. And while cloud infrastructure can be comparatively secure - it does come with different risks. As this incident shows, it is another case of a database that should have been private, left exposed to the open internet.
“By doing so, the impact of such breaches is huge. Therefore, it is important that administrators who set up and maintain such databases are adequately trained in how to secure them. Furthermore, organisations should have a security assurance plan in place by which they can validate that systems are set up and secure as they should be,” he added.
“Security for data in the cloud is still an oversight for many businesses. Under GDPR all personally identifiable information must be secured with policies and processes in place which allow for audit and compliance.
“Until Stricter penalties and controls are issued to companies who hold personal data this type of breach is unfortunately seen all to often. Simple solutions like encrypting all sensitive PII in the cloud, would mean this situation never arises even when the company goes bust and walks away,” said Raif Mehmet, Sales Director at Bitglass.
ALSO READ: Personal data of 309,000 Urban Massage staff & customers exposed via unsecured database