Security Market Segment LS
Friday, 01 December 2017 10:43

Credit repair service leaks data of about 40,000 Americans


The personal and financial data of about 40,000 Americans has leaked on the Web via an unsecured Amazon Web Services S3 bucket, the security firm UpGuard reports.

The data, from the Tampa-based credit repair service National Credit Federation, included customer names, addresses, dates of birth, driver’s licence and Social Security card images, credit reports from all three major agencies, personalised credit blueprints containing detailed financial histories, and full credit card and bank account numbers.

UpGuard's director of Cyber Risk Research, Chris Vickery, found the data on 23 October, a total of 47,000 files, mostly PDF and text documents.

There were three general kinds of documents found: documents submitted by customers with personal and financial details, “personalised credit blueprints” and videos created by NCF for their customers, and customer credit reports from Equifax, Experian, and TransUnion – the “big three” credit reporting agencies.

A leak at Equifax revealed the details of 143 million Americans in July. The leak was reported only in September.

An UpGuard blog post said the personal documents submitted by NCF customers were "expansive and highly sensitive; their exposure left tens of thousands of individuals entirely compromised against the threats of identity theft and financial attack. Photographs and scans of customers’ driver’s licences, as well as completed forms and documents, provide sensitive personal details such as full names, dates of birth, addresses, and financial histories".

The available data could easily be used for identity theft and compromise of personal finance histories of the people involved, UpGuard said.

Apart from this data, video files within the repository depicted NCF employee computer desktops, which had been recorded using a screenlogging program, as an employee accesses customer records and explains the significance.

"The videos appear to be specially made for individual customers, and are rife with the depiction of personally identifying information," UpGuard added.

In the past, UpGuard has found misconfigured Amazon Web Services S3 buckets leaking data from the NSA, the Pentagon, global corporate consulting and management firm Accenture, publisher Dow Jones, a Chicago voter database, a North Carolina security firm, and a contractor for the US National Republican Committee.


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments