Extremely sensitive data has been leaked from Banco Portugues de Gestao due to a misconfiguration on the bank’s service providers systems, which could have led to unauthorized money transfers.
On May 2nd, the Cybernews research team revealed a misconfiguration in the systems of Nearsoft, a provider of digital banking and e-government solutions.
The misconfiguration leaked extremely sensitive user financial data belonging to Banco Portugues de Gestao, one of the Nearsoft clients.
Alarmingly, the leak also revealed that the bank’s service provider did not comply with international information security standards such as ISO27001 and PCI-DSS, which are essential for financial institutions. Almost none of the stored sensitive information was encrypted or hashed.
Leaked user data included:
- Bank account numbers
- IBAN numbers
- Account balances
- KYC documents
- ID card numbers, including citizen ID numbers
- Email addresses
- Phone numbers
- Taxpayer numbers
- Names
- Places of employment
- Occupation
- Marital status
- Dates of birth
- Home addresses
- Answers to security questions
- Authentication secrets
- Internet banking session tokens
The data leak was caused by a missing authentication on the company’s Kibana dashboard – a popular online tool for searching, visualizing, and analyzing stored data.
According to the researcher's estimates, the bank’s client data has been accessible to anyone on the internet, including threat actors, since April.
A huge cause of concern is that the data has been updated in real-time, leaving bank users vulnerable to a wide range of attacks. A treasure trove of user data could have been exploited by malicious actors for identity theft, wire fraud, doxxing, financial profiling, spam, and phishing campaigns.
Most worryingly, the leaked information could have been used to hijack client accounts and conduct unauthorized money transfers.
Cybernews contacted Nearsoft, and access to user data has since been secured. However, an official comment has yet to be received.
The risks of using third-party providers
The discovered data leak is a stark example of the security risk involved in using the services of a third-party provider.
The open instance found by researchers impacted only Banco Português de Gestão. However, Nearsoft's client base includes numerous financial institutions that could potentially encounter similar security risks.
Nearsoft clients:
- Banco Portuguese de Gestao
- First Capital Bank
- Caixa
- Fondation Ondjyla
- Banco Interatlanctico
- dnoticias.pt
- Unitel
- Caixa Angola
- IMDM
- Regiao Autonoma de Madeira
- Horarios de Funchal
- Seiva
- BancoKeve
- Bai Cabo Verde
In 2023, Cybernews research revealed another concerning leak at OCR Labs, a major provider of digital ID verification tools for financial institutions.
A misconfiguration of the company’s systems exposed sensitive credentials to the public, affecting six financial institutions: QBANK, Defence Bank, Bloom Money, Admiral Money, MA Money, and Reed.
Your email address will not be published. Required fields are markedmarked