A Florida-based credit repair company left 111 gigabytes of extremely sensitive customer information and internal company data publicly accessible on the internet possibly for up to two years.
The National Credit Federation publicly exposed 47,000 files that included customer names, addresses, dates of birth, driver’s licenses, Social Security cards, credit reports, financial histories, credit card numbers and bank account numbers, according to Chris Vickery, a researcher at the cybersecurity firm UpGuard. File upload dates suggest the public exposure extends back to June 2015.
Vickery discovered the data after finding an Amazon Web Services S3 cloud storage bucket used by the company was configured for public access. NCF’s exposure is the latest in a string of organizations leaving sensitive data accessible by the public via an S3 instance.
“This wasn’t secure whatsoever,” Vickery said of the NCF data. “You could just type in the URL and any web browser would allow you download all the files. They made it completely publicly facing with no security whatsoever.”
The National Credit Federation’s data includes thousands of customer credit reports from Equifax, Experian and TransUnion that detail the personal financial histories of each customer in extreme depth. The company helps individuals with financial and credit issues to fight damaging claims and improve their credit scores. In order to do so, customers share troves of sensitive data, including letters from credit agencies. NCF then automates the process to dispute information in the reports.
NCF did not respond to multiple requests for comment.
This exposure comes three months after Atlanta-based credit monitoring giant Equifax revealed data impacting 145 million Americans had been stolen from their servers. The perpetrator of that breach remains unknown. That breach was carried out in part due to Equifax’s failure to patch a flaw in the open source web application Apache Struts.
When customers call NCF, they often send digital copies of sensitive documents to the company. Here are some redacted examples of sensitive data left publicly accessible on the web by the company:
Vickery discovered the data on Oct. 3, 2017. It wasn’t until Oct. 25 that Vickery first spoke with NCF. It took until Nov. 10 for the data to be secured.
“Probably the most damage that could have come from this is that it was being updated every day,” Vickery said. “Someone could have just sat on this and read from it.”
It’s not clear if the data was found by anyone other than Vickery. When sold on criminal black markets, similar data can sell for up to $8 per person, according to the cybersecurity firm Flashpoint. A database like the one Vickery found would be worth hundreds of thousands of dollars if sold on the dark web or underground forums.
Vickery described the incident as a “pretty cavalier mistake” since someone would have to turn off default settings inside AWS for the error to occur.
“With S3, the buckets by default are private,” he said. “There are a few options you can turn on to expose it publicly to the internet. They, for whatever reason, turned those settings on. It is only a few clicks away but you have to be purposefully doing it.”