The digital loan provider made everything from passports to utility bills available online, revealing loan seekers’ personal information to the public.
The act of getting a simple loan could lead to the nightmare of identity theft. The Cybernews research team found that Vivifi, an Indian digital lending app, exposed highly sensitive client data to anyone on the internet.
Researchers claim the personal data linked to the company were stored on a misconfigured Amazon AWS S3 bucket that lacked authentication. The leaking bucket stored more than 36 million files with Know Your Customer (KYC) documents, packed with the sensitive data of loan seekers.
What was leaked?
- Passports
- National ID cards
- Driver’s licenses
- Voter IDs
- Utility bills
- Lease/rental agreements
- Bank statements
- Salary slips
- Employment letters
- Taxpayer Identification – PAN cards
- Vivifi’s loan agreements
- Communication with clients
The Hyderabad-based firm is registered with the Reserve Bank of India (RBI) as a non-banking finance company. Founded in 2016, Vivifi focuses on digital financial services for clients with limited or no access to traditional credit and has been valued at $150 million.
Loan seekers are at risk
Financial institutions and fintech platforms use KYC to verify users' identities and ensure they comply with laws and regulations. However, if this data falls into the hands of threat actors, it could pose significant risks.
The massive scale makes the exposed dataset highly valuable to threat actors, who could exploit the gathered information for various malicious purposes.
Among the most pressing concerns is the threat of identity theft, as cybercriminals can easily use detailed financial and personal data to impersonate clients. This could result in financial losses, as scammers could open fraudulent bank accounts, apply for credit cards, or take out loans.
If exploited, proof-of-address documents, bank account details, and employment information heighten the risk of falling victim to social engineering. Cybercriminals might use the stolen data to craft convincing emails or fake websites, persuading the victims to reveal their login information and grant access to financial accounts.
“For instance, attackers could use leaked loan agreement details or bank information to request urgent payments or account verification,” our researchers said.
“In some cases, these personal details can be aggregated and sold on the dark web, further escalating the danger and complicating efforts for victims to protect their privacy and secure their identities,” added the team.
Cybernews contacted the company, and access to the bucket was secured. Vivifi said it is conducting an investigation into the findings.
The Cybernews security team advises how to mitigate the security risks:
- Change the access controls to restrict public access and secure the bucket.
- Update permissions to ensure that only authorized users or services have the necessary access.
- Monitor retrospectively access logs to assess whether unauthorized actors have accessed the bucket.
- Enable server-side encryption to protect data at rest.
- Use AWS Key Management Service (KMS) to manage encryption keys securely.
- Implement SSL/TLS for data in transit to ensure secure communication.
- Consider implementing security best practices, including regular audits, automated security checks, and employee training.
- Leak discovered: November 28th, 2024
- Initial disclosure: January 7th, 2024
- Closed: January 16th, 2024
Your email address will not be published. Required fields are markedmarked