Data leak hits Latin America’s financial institutions, leads point to fintech app


Digital banking platform Bankingly has leaked data from seven financial institutions, exposing clients across Central and South America.

On May 24th, the Cybernews research team identified seven Azure Blob Storage buckets without proper authentication. The misconfiguration exposed the personal data of nearly 135,000 clients across Latin America to anyone online.

Citizens from the Dominican Republic, Mexico, Ecuador, El Salvador, Bolivia, and Costa Rica are among those impacted, with the majority of victims – nearly 100,000 individuals – being from the Dominican Republic.

ADVERTISEMENT

The leak was linked to Bankingly, a fintech platform that provides web services and mobile applications to financial institutions in Latin America.

Bankingly data leak map
The number of victims, country, and the affected financial institutions. Credit: Cybernews

The Uruguay-based company primarily serves small and medium-sized financial institutions such as banks, credit unions, and microfinance institutions, most of which are located in rural areas across Latin America.

Bankingly likely used storage buckets to store customer data, including personal information and account details, to provide software solutions to financial institutions.

What data was leaked?

  • Full names
  • Financial application usernames
  • Emails
  • Phone numbers
  • Work phone numbers

Which financial institutions were affected?

  • La Cooperativa de Ahorro y Crédito Abierta “San Martín de Porres” (COSMART)
  • Asociación La Nacional de Ahorros y Préstamos (ALNAP)
  • Caja Buenos Aires
  • Caja Mitras
  • Coac Puellaro
  • Credecoop
  • AMC
ADVERTISEMENT

Risk of well-crafted social engineering attacks

Apart from causing reputational damage to the financial institution, the leaked data poses a risk to affected individuals.

“The leaked data might not be enough for cybercriminals to directly make financial transactions, such as applying for loans or opening new bank accounts,” explained a Cybernews researcher.

“Typically, more sensitive information like government-issued IDs, for example, social security numbers, or passport details, credit card numbers, or even access to passwords is needed to perform these types of activities.”

bankingly data leak
Source: Cybernews research

However, exposing personally identifiable information (PII) still poses a risk of phishing and social engineering attacks. Threat actors could use leaked data to craft sophisticated phishing emails that seem to originate from the victim's financial services provider or call impersonating the bank employee, aiming to deceive victims into disclosing further personal information or login credentials.

Another risk is credential stuffing attacks. If victims reuse their passwords across different platforms, attackers could attempt to use the exposed usernames or email addresses coupled with information from old data breaches and subsequently gain access to accounts.

Cybernews has contacted Bankingly, and data in the buckets has been secured. The company has not responded to the request for comment. We’ve also reached out to the affected companies and are waiting for a response.

The risk of using third-party providers

The situation serves as a stark reminder of the risks associated with using third-party service providers, which can act as Trojan horses for accessing financial institutions. As Cybernews' previous research demonstrates, the Bankingly platform's case is far from unique.

ADVERTISEMENT

On May 2nd, the research team unveiled a misconfiguration in the systems of Nearsoft, a provider of digital banking and e-government solutions. The misconfiguration leaked extremely sensitive user financial data belonging to one of the company’s clients, Banco Portugues de Gestao, raising fears of account hijacking.

In 2023, Cybernews research revealed another major leak at OCR Labs, a major provider of digital ID verification tools for financial institutions.

A misconfiguration of the company’s systems exposed sensitive credentials to the public, affecting six financial institutions: QBANK, Defence Bank, Bloom Money, Admiral Money, MA Money, and Reed.