An ElasticSearch server occasion that was left open on the Internet with out a password contained delicate monetary details about loans from Indian and African monetary companies.
The leak, which was found by researchers from data safety firm UpGuard, amounted to five.8GB and consisted of a complete of 1,686,363 data.
“Those records included personal information like name, loan amount, date of birth, account number, and more,” UpGuard stated in a report shared with The Hacker News. “A total of 48,043 unique email addresses were in the collection, some of which were for the product administrators, corporate clients, and collection agents assigned to each case.”
The uncovered occasion, used as data storage for a debt assortment platform known as ENCollect, was detected on February 16, 2022. The leaky server has since been rendered non-accessible to the general public as of February 28 following intervention from the Indian Computer Emergency Response Team staff (CERT-In).
ENCollect is billed because the “world’s best collector’s app,” permitting assortment brokers to trace mortgage funds, provoke authorized actions in addition to provide strategies for delinquency administration, settlements, and repossession.
UpGuard stated the loans originated from lending companies akin to Lendingkart, IndiaLends, Shubh Loans (MyShubhLife), Centrum, Rosabo, and Accion, with the leaked data additionally incorporating private particulars related to the debtors.
Furthermore, the dataset encompassed 114,747 mailing addresses, 105,974 cellphone numbers, and 157,403 mortgage quantities. A subset of those data additionally revealed further data akin to contact particulars of co-applicants, relations, and different private references.
“Some records contained overdue amounts, the type and length of the loan, and internal notes left by collection agency staff regarding loan repayments,” UpGuard stated.
Although the misconfigured server has been secured, there are at all times probabilities that anybody with malicious intent could seemingly use the knowledge to focus on customers as a part of scams or extortion schemes and even masquerade as mortgage collectors to focus on debtors.
“The digitization of financial services provides many opportunities for efficiencies in processes like debt collection, but also creates unexpected risks in the supply chain,” the researchers stated. “Vendor solutions also create the risk for multiparty exposures when their data sets are sourced from several clients, as in this case.”