Financial companies leak 425GB in company, client data through open database

Half a million confidential legal and financial documents, at least, were exposed online.
Written by Charlie Osborne, Contributing Writer

An open database is the source of a data leak leading to the exposure of 425GB in sensitive documents belonging to financial companies. 

On Tuesday, vpnMentor researchers led by Noam Rotem said the database appears to be connected to MCA Wizard, a now-defunct app that appears to have been developed by Advantage Capital Funding and Argus Capital Funding. 

The iOS/Android application was developed as a Merchant Cash Advance (MCA) instrument, used to provide businesses with short-term loans based on their future credit card-based sales. The app is no longer available on official app stores.

In a report shared exclusively with ZDNet, the team said the database was discovered through vpnMentor's web mapping project. First uncovered in December 2019, the Amazon Web Services (AWS) S3 bucket was not using any form of encryption, authentication or access credentials, a situation which has become increasingly common as many companies move to cloud services. 

See also: UniCredit reveals data breach exposing 3 million customer records

Due to a failure to implement basic security protocols, the database permitted unfettered access to anyone with an Internet connection and the S3 bucket's address. 

The researchers say the database contained references to MCA Wizard, but many of the files did not appear to have any true connection to the mobile application. 

Instead, vpnMentor found over 500,000 "highly sensitive" documents, including private legal and financial files, that originated from  Advantage and Argus. In total, 425GB was contained in the database at the time of discovery -- and files were still actively being uploaded to the bucket as the team conducted their investigation. 


Entries related to the companies' businesses, including credit reports, bank statements, contracts, legal documents, driver license copies, purchase orders and receipts, tax returns, Social Security information, and transaction reports. 


CNET: Huawei ban: Full timeline as Trump signs law to stop rural carriers from using its gear

The records did not just relate to Advantage and Argus. Instead, they also affected "customers, clients, contractors, employees, and partners," according to the researchers. 

vpnMentor reached out to Advantage and Argus to inform them of the leak, but emails sent to the entities mentioned bounced back. Attempts to contact the vendors were made on 30 December, but after these messages failed to deliver, the researchers eventually contacted AWS directly. The database was closed on 9 January 2020. 

"The financial and legal consequences of such crimes could destroy a not just a person's businesses, but their entire life," vpnMentor said. "Many of the files we viewed revealed Social Security numbers and other forms of PII belonging to a diverse range of private individuals and business owners. These could be used to commit additional forms of fraud against those affected, including wholesale identity theft."

TechRepublic: How hospital CIOs can prepare for the onslaught of coronavirus patients

VpnMentor's mapping project has revealed a variety of other data breaches in the past. These include a database supporting a back-end system for legal cannabis sales; a system that exposed records relating to US consumer, government, and military travel; a database revealing the security logs of major hotel chains, and a browser that leaked user data. 

ZDNet has also attempted to reach out to Advantage and Argus and will update if we hear back. 

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards