A California auto loan company left the names, addresses, credit scores and partial Social Security numbers of up to 1 million people exposed on an insecure online database.
The company behind the database is Alliance Direct Lending Corporation, according to Kromtech Security Research Center, which discovered the data earlier this week. It said the data was found on an unprotected Amazon server and that the data could have been exposed for up to two years.
Researchers said they found the insecure database while researching vulnerabilities associated with Amazon Web Services (AWS). “We discovered this after noticing a few exposed (Amazon server) buckets with -dev iterations. Technically, anybody could have guessed the name and put that into URL line,” said Bob Diachenko, security communications specialist with Kromtech.
According to Alliance Direct Lending’s website, the company works with individuals and auto dealership partners to help car owners refinance existing auto loans. Data stored in the cloud was in clear text, according Diachenko. He said data also included several dozen recorded voice conversations with customers that disclosed full Social Security numbers of loan applicants.
Sample data included the names of 114 car dealerships. According to Kromtech, it estimated between 550,000 to 1.1 million loan records from those dealers were exposed online. Dealers were located across the United States from California, Colorado, Florida and Massachusetts. Kromtech is the parent company of MacKeeper. It posted a report of its investigation online Wednesday.
Jaime Alefosio, president of Alliance Direct Lending Corporation, told Threatpost she was investigating the insecure server and declined to comment further. According to Kromtech, it worked with Alliance Direct Lending and confirmed the data was secured late Tuesday.
Kromtech said it was unsure if additional third parties may have accessed the data.
According to AWS documentation: “By default, all Amazon S3 resources—buckets, objects, and related subresources (for example, lifecycle configuration and website configuration)—are private: only the resource owner, an AWS account that created it, can access the resource. The resource owner can optionally grant access permissions to others by writing an access policy.”
Privacy experts said the data in the hands of the wrong person would be a nightmare for victims. A criminal that knows the data comes from people who have refinanced their car loan and may have less than stellar credit, coupled with partial Social Security numbers, would be a dream come true.
“Things could go wrong on a variety of levels. The data could be used to phish additional data via email or phone scams. That’s not even mentioning the reputational damage to those in the database with bad credit scores,” said Adam Levin, chairman and founder of CyberScout.
The data found by Kromtech was on an Amazon’s AWS S3 server. AWS S3 is marketed as an easy-to-use web service that allows businesses to store and retrieve data at a moment’s notice. Data is stored in what Amazon calls buckets.
“The Kromtech Security Research Center has seen an increase in vulnerable AWS S3 buckets recently due to misconfigurations or public settings,” Diachenko said. “We have identified hundreds of misconfigured instances and we have been focused on helping to secure them as soon as we identify who the data belongs to.”
He said companies should consider Alliance Direct Lending’s example a sobering reminder that companies and individuals need to make sure their data is secure.
For Diachenko, this is the latest in a string of insecure database he has helped uncover. In January, he was part of a research team that found 400,000 audio files associated with a Florida company’s telemarketing efforts were stored insecurely online. In February, Kromtech researchers found tens of thousands of sensitive documents insecurely stored online belonging to a print and marketing firm.
