National Credit Federation leaked US citizen data through unsecured AWS bucket

Tens of thousands of customers of the credit repair service are believed to be affected.
Written by Charlie Osborne, Contributing Writer

Video: The latest NSA leak: 11 things to know about Red Disk

The National Credit Federation (NCF) has become the latest in a long list of companies to leave the sensitive, private data of customers exposed for all to see online.

According to Chris Vickery, UpGuard Director of Cyber Risk Research, the Tampa, Fla.-based credit repair firm left 111GB of internal customer information on an Amazon Web Services S3 cloud storage bucket configured to allow public access without restriction.

In a blog post, Vickery said the discovery was made on Oct. 3, 2017.

Information on the server, potentially impacting tens of thousands of customers, included customer names, addresses, dates of birth, driver's license and Social Security card scans, credit blueprints containing detailed financial histories, and full credit card and bank account numbers.

In addition, credit reports from Equifax, Experian, and TransUnion were found in the repository, and in some cases, multiple copies were discovered.

This is a huge amount of information which could be used by frausters and criminals to conduct identity theft and destroy their victim's finances.

In order to access this information, all anyone needed to do was to enter the repository's URL and download the files they wanted.

"National Credit Federation data was left entirely accessible to anybody accessing the repository's URL, highlighting the vital urgency for enterprises to secure their data and validate their configurations against any such exposures," the security researcher said. "This highly concentrated level of exposure, thoroughly revealing customer credit history several times over, serves to highlight the myriad dangers a single exposure can unleash."

It is possible that up to 47,000 NCF customers have been impacted. The researcher says that the bucket's subdomain, "crm-mvp," likely refers to either customer relationship or customer record management, and the contents appear to back this theory as there are 47,000 files -- most of them PDF and text files -- which contain the information of customers.

"A conservative estimate of the number of NCF customers affected by this exposure would be below forty thousand individuals, all of whom needed help in restoring their finances," Vickery says. "In short, these are people who needed and asked for assistance in getting their lives back on track, and were repaid, through a process still unknown, by having the information they furnished revealed online."

Until UpGuard notified NCF of the discovery, the repository was in a state of constant update.

However, there is no indication at the moment that any attackers found and exploited this security failure.

See also: The 10 step guide to using Tor to protect your privacy

This is far from the first time that deeply sensitive and confidential information concerning US citizens has been leaked online.

Earlier this year, credit giant Equifax admitted to a data breach, which exposed the data of roughly 145 million customers, including names, social security numbers, birth dates, home addresses and some driving license details, eventually costing the company $87.5 million in damage control.

Last year, a US government subcontractor, Potomac Healthcare Solutions, used an unsecured server to hold sensitive details belonging to active military healthcare professionals, which Vickery found to be open for the world to see.

In related news, this week, the contents of a hard drive belonging to a division of the US National Security Agency (NSA) was exposed online. The virtual disk image contained over 100GB of data relating to a military project dubbed "Red Disk," and was left on an unlisted but public Amazon Web Services server.

ZDNet has reached out to the NCF and will update if we hear back.

Best gifts: Top tech for co-workers

Related stories

Editorial standards