A treasure trove of loan applicants' private information, including national IDs and account statements, was left unsecured, jeopardizing the accounts of users.
On September 16th, the Cybernews research team discovered a misconfiguration in an Amazon AWS S3 bucket belonging to the Mumbai-based fintech company FatakPay.
The company provides instant loans to individuals through its app, which has been downloaded more than a million times on the Google Play Store.
The company’s misconfigured bucket lacked a password and was publicly accessible to anyone on the internet. Inside the folder, more than 27 million files packed with sensitive loan applicants' data, including Know Your Customer (KYC) documents, were stored.
What was leaked?
- Full names
- Home address
- Email address
- Phone numbers
- Copies of National IDs
- Loan agreements
- Account Statements
- Filled-in loan applications
- User selfies for verification
- PAN, a 10-character alphanumeric identifier issued by the Indian Income Tax Department
- Aadhar, which is a 12-digit unique identification number issued by the Unique Identification Authority of India (UIDAI) to residents of India.
- Credit score report (CRIF and CIBIL)
Cybernews contacted the company multiple times to ensure that data access would be secured. The company has since closed the bucket. An official comment has yet to be received.
Leaked KYC documents jeopardize loan seekers
Financial institutions and fintech platforms require a KYC to identify users and ensure compliance with laws and regulations. Proof of identity involves providing a government-issued ID, such as a passport, driver's license, or national identification card. The process also involves taking selfies and holding the ID to verify that it belongs to the individual undergoing verification.
With access to exposed KYC documents, malicious actors can threaten unsuspecting victims with identity theft, impersonation, and financial fraud.
Meanwhile, revealing other sensitive details, such as PAN and Aadhaar numbers, increases the risk of identity theft of India-based individuals.
Cybercriminals could impersonate them to take out loans, apply for credit cards, and access bank accounts, leaving victims with debts for loans they never took, exacerbating the emotional and financial toll on victims.
Identity theft often results in severe damage to victims' credit scores, complicating future loan applications and access to favorable interest rates. Rebuilding credit can be lengthy and stressful.
From phishing attacks to physical danger
Identity theft is hardly the only risk that data leak victims face. Leaked personal details often enable attackers to carry out phishing attacks. Cybercriminals could use names, email addresses, phone numbers, and other financial information to craft convincing emails or texts impersonating legitimate entities – such as banks – tricking victims into sharing sensitive information or sending money to scammers.
Exposing home addresses significantly heightens the risk to individuals' physical safety. For example, criminals could exploit this data to locate and target victims for various malicious purposes, such as stalking, harassment, or burglary.
Doxxing, or unauthorized exposure of personal information, is another serious threat because cybercriminals, also known as "doxxers," constantly search the internet for material that may be used to further their financial or personal agendas.
Disclosure timeline
Discovered: September 16th
Initial disclosure: October 15th
Multiple follow-up emails: October 22nd, 29th, November 5th, 12th, 26th, December 3rd.
Closed: December 5th
Your email address will not be published. Required fields are markedmarked