Auto Financing Company Leaks 500K+ of Customer’s Info Online
As part of our research on publicly available Amazon AWS S3 buckets Kromtech Security Researchers discovered yet another repository, (mis)configured for public access, which contained 88 megabytes of spreadsheet documents in *.csv format with names of hundreds of auto dealerships around the United States.
Upon further investigation we were able to identify what appeared to be customer purchase information (such as full names, address, zip,last 4 SSN digits), credit scores (FICO auto scores), year, makes, and models. Once it was clear this was automotive financing data we found the name of who we believed were associated with the exposed data.
The files allegedly belong to Alliance Direct Lending Corporation, an automobile finance company in that refinances auto loans or uses a network of dealers to match with pre-qualified buyers.
The leaked data contained 124 files (each of them containing from 5 to 10 thousands records, which brings us to 550K - 1M customer details in total), with financing records broken down by dealerships and 20 audio recordings of customers agreeing to auto loans or refinancing of auto loans. These consent calls were the customers agreeing that they understood they were getting an auto loan, confirming that the information was correct and true. They included the customers name, date of birth, social security numbers, and phone numbers. These calls were in both English and Spanish.
A member of Kromtech Security Research called and spoke with an IT administrator who looked at the url of the publically accessible data and confirmed that it appeared to belong to Alliance Direct Lending. When searching online for Alliance Direct Lending it appears that they really do have a solid reputation and nearly all of the reviews are positive, but data breaches can and do happen. This is yet another wake up call for anyone dealing with financial data, social security numbers, or other sensitive data to audit your data often. One simple misconfiguration could allow your entire organization's data storage publically available online to anyone looking for it.
Did anyone else see this data?
It is unclear if anyone other than security researchers accessed it or how long the data was exposed. According to the bucket properties, it was last modified on Dec 29, 2016. It contained 210 public items and 790 private ones (not available but listed) - logs. The IT Administrator claimed that it had only recently been leaked and was not was not up for long. He thanked us for the notification and the data was secured very shortly after the notification call.
The danger of this information being leaked is that cyber criminals would have enough to engage in identity theft, obtain credit cards, or even file a false tax return. Alliance Direct Lending is based in California where the law requires notification of a breach when a California resident's unencrypted personal information is compromised. California was the first state in the U.S. to require notification of security breaches (its law became effective in 2003)
Information for editors:
The Kromtech (MacKeeper) Security Research Center was established in Dec 2015 with the goal of helping to protect data, identifying data leaks and following responsible disclosure policy. Our mission is to make the cyber world safer by educating businesses and communities worldwide. Many of our discoveries have been covered in major news and technology media, earning the Kromtech Security Research Center a reputation as one of the fastest growing cyber data security departments.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org