Mexican fintech startup Kapital leaves client IDs and selfies leaking for months


Small business owners in Mexico should know that their financial partners might leak sensitive personal information. Researchers have discovered a huge exposed database containing voter IDs and selfies collected by the financial technology firm Kapital.

Despite multiple disclosure attempts, a 30-day notification period, and alerts to the local authorities, the database remains open as of December 6th, 2024.

The Cybernews research team discovered the misconfigured Google Cloud Storage bucket on September 8th, 2024, during a routine investigation of publicly available indexes.

ADVERTISEMENT

The bucket stores 1,674,324 files, most of which are copies of Voter IDs and selfies for identity verification. It has been attributed to Kapital.

“The leakage of 1.6 million Mexican voter IDs and selfies represents a severe breach of personal security with far-reaching consequences,” the Cybernews researchers said.

“The documents are integral to voting, identity verification, and accessing various services. Their exposure compromises individuals' immediate safety and privacy and can have negative financial consequences.”

Based in Mexico City, the company specializes in serving small and medium-sized firms that usually have no access to bank credit in Latin America. The firm provides a platform and financial services like loans, credit cards, etc. The Kapital Business app has been downloaded over 100,000 times from the Google Play store.

Last year, the fintech secured $165 million in funding from investors led by Tribe Capital, TechCrunch reported.

During the responsible disclosure procedure, Cybernews sent over a dozen emails to the company and informed the local Computer Emergency Response Team (CERT). Cybernews also reached out to the startup for comments. However, Kapital did not respond before publishing.

voter-id-kapital

Clients at risk

ADVERTISEMENT

According to media reports, Kapital had 80,000 small business clients last year. The firm also acquired another firm with an additional 65,000 customers. The customer base is significantly smaller than the number of exposed records in the misconfigured cloud storage with voter IDs and selfies.

Mexican Voter IDs, also known as the “Credencial para Votar,” serve as official identification during federal, state, and municipal elections. The document is commonly used as an official ID for various bureaucratic procedures, such as opening bank accounts, accessing government services, and handling other legal matters. It verifies Mexican citizenship and is often required to access public and private services, including transactions and signing official documents.

The leaked Voter IDs can have broad implications for the affected individuals, who are likely unaware their data was exposed.

“Threat actors can easily obtain and misuse sensitive information for identity theft. Criminals might attempt to create fraudulent accounts or gain unauthorized access to existing ones,” the researchers warn.

“Financial fraud could lead to substantial monetary loss and damaged credit scores.”

Marcus Walsh profile Paulina Okunyte Stefanie justinasv
Get our latest stories today on Google News

With stolen identities, attackers will likely attempt to withdraw funds, open financial accounts, and apply for credit cards or loans in the names of unsuspecting victims.

Cybercriminals often combine data with other leaks to advance various types of cybercrime and fraud. The exposed bucked did not contain any other records or passwords.

What the firm should’ve done

Cybernews researchers recommend that Kapital immediately restrict access to the open Google Cloud Storage bucket. This can be done by changing permissions and ensuring only authorized personnel can access the data.

ADVERTISEMENT

“If possible, temporarily disable the bucket or move the data to a more secure environment while the situation is assessed,” the researchers said.

Researchers also suggest implementing the following mitigations:

  • Encryption: Enable server-side encryption for the bucket to ensure that data stored within it is encrypted at rest. Additionally, consider implementing client-side encryption for added security, especially for highly sensitive data.
  • Monitor access logs retrospectively: This helps assess whether unauthorized actors have accessed the bucket.
  • Regular Security Audits: Establish a schedule for regular security audits and reviews of all Google Cloud Storage buckets to identify and address any security risks or vulnerabilities proactively. This can help prevent future data leaks and ensure ongoing compliance with security best practices.
  • Consider implementing security best practices: Ensure compliance with strong security frameworks and certifications.
  • Inform: contact the affected parties and provide support.

Mexico has a Federal Law for the Protection of Personal Data Held by Private Parties (FLPPDHPP). Failure to comply can result in fines of up to $1.5 million.

Disclosure timeline

  • September 8th, 2024: leak discovered.
  • September 10th, 2024: initial disclosure email sent to Kapital.
  • October 23rd, 2024: disclosure to CERT-MX.