Portuguese bank exposes client data, raising fears of account hijacking

Extremely sensitive data has been leaked from Banco Portugues de Gestao due to a misconfiguration on the bank’s service providers systems, which could have led to unauthorized money transfers.

On May 2nd, the Cybernews research team revealed a misconfiguration in the systems of Nearsoft, a provider of digital banking and e-government solutions.

The misconfiguration leaked extremely sensitive user financial data belonging to Banco Portugues de Gestao, one of the Nearsoft clients.

Alarmingly, the leak also revealed that the bank’s service provider did not comply with international information security standards such as ISO27001 and PCI-DSS, which are essential for financial institutions. Almost none of the stored sensitive information was encrypted or hashed.

Leaked user data included:

  • Bank account numbers
  • IBAN numbers
  • Account balances
  • KYC documents
  • ID card numbers, including citizen ID numbers
  • Email addresses
  • Phone numbers
  • Taxpayer numbers
  • Names
  • Places of employment
  • Occupation
  • Marital status
  • Dates of birth
  • Home addresses
  • Answers to security questions
  • Authentication secrets
  • Internet banking session tokens

The data leak was caused by a missing authentication on the company’s Kibana dashboard – a popular online tool for searching, visualizing, and analyzing stored data.

According to the researcher's estimates, the bank’s client data has been accessible to anyone on the internet, including threat actors, since April.

Banco Portugues de Gestao
KYC documents sent by email - base64 encoded PDF
KYC document decoded from base64
KYC document decoded from base64

A huge cause of concern is that the data has been updated in real-time, leaving bank users vulnerable to a wide range of attacks. A treasure trove of user data could have been exploited by malicious actors for identity theft, wire fraud, doxxing, financial profiling, spam, and phishing campaigns.

Most worryingly, the leaked information could have been used to hijack client accounts and conduct unauthorized money transfers.

Cybernews contacted Nearsoft, and access to user data has since been secured. However, an official comment has yet to be received.

KYC document decoded from base64
KYC document decoded from base64
Account onboarding information, including email, phone number, Citizen ID, Name
Account onboarding information, including email, phone number, Citizen ID, Name
Authentication tokens, Account balances
Authentication tokens, Account balances
Banco Portugues de Gestao
Internet Banking session token, private customer information, customer manager information, and answers to security questions.

The risks of using third-party providers

The discovered data leak is a stark example of the security risk involved in using the services of a third-party provider.

The open instance found by researchers impacted only Banco Português de Gestão. However, Nearsoft's client base includes numerous financial institutions that could potentially encounter similar security risks.

Nearsoft clients:

  • Banco Portuguese de Gestao
  • First Capital Bank
  • Caixa
  • Fondation Ondjyla
  • Banco Interatlanctico
  • dnoticias.pt
  • Unitel
  • Caixa Angola
  • IMDM
  • Regiao Autonoma de Madeira
  • Horarios de Funchal
  • Seiva
  • BancoKeve
  • Bai Cabo Verde

In 2023, Cybernews research revealed another concerning leak at OCR Labs, a major provider of digital ID verification tools for financial institutions.

A misconfiguration of the company’s systems exposed sensitive credentials to the public, affecting six financial institutions: QBANK, Defence Bank, Bloom Money, Admiral Money, MA Money, and Reed.