UK Money Transfer Service Leaks Private Customer Details
Kromtech Security Researchers have discovered a publically available Amazon S3 storage bucket that contained information appearing to belong to a money transfer service. The data originated from KS Enterprises Limited a UK based money transfer service that focuses on sending money to Bangladesh.
According to their website they were established in 2002 with the aim to provide money transfer services to the estimated 600,000 Bangladeshi people living in the UK. KS Enterprises Limited (KSEL) also claims to have made 3.5 million transactions last year.
The data were simply hosted under company domain abbreviation name 'ksel' and contained sensitive and personal information that could be used by criminals for fraudulent activities. The files that researchers discovered were customer docs - passports/ proof of address documents like bills including tax bills, loan documents / driver's license etc.
The total number of exposed customer accounts was more than 11,000. There were also many internal resource files or affiliate documents.
File Breakdown of KSELs misconfigured database.
“KSEL has built up a large and comparatively faster money transfer network with the assistance of Bangladeshi private banks namely Uttara Bank Limited, Al Arafah Islami Bank and AB Bank Ltd. KSEL has now become a trusted name in the Bangladeshi community in UK for money remittance services.”
How to follow the money? There is no official mechanism for recording remittances to and from the UK.
However, we did not find any evidence of wrongdoing by KS Enterprises Limited or any of the many affiliate data that was publicly leaked online.
We discovered the S3 bucket on the first week of July and sent notifications via email twice - Jul 11 and Jul 12, both times followed by a phone call but only after a week repository has been secured, without any word from the business.
It is unclear how long the data was available or who else may have had access to it.
We reached out to ICO and FCA and KSEL on that case. This post will be updated as soon as we know more.
An ICO spokesperson said: “Organisations have a duty to keep peoples personal data safe and secure and must take appropriate measures to do that, whether they are storing it in paper files, on hard drives or in cloud-based systems.
“We have been made aware of an incident involving KS Enterprises and are making enquiries.”
Bob Diachenko, Chief Security Communications Officer at Kromtech: "Under UK law known as the Data Protection Act, companies are required to send Notification of data security breaches to the Information Commissioners Office (ICO) and inform the thousands of customers who had their data leaked and keep a breach log."
Alex Kernishniuk, VP of strategic alliances at Kromtech: "The breach is highly sensitive and with passport scans, banking info, and more it is very high risk that could adversely affect customers privacy. The danger of having publicly accessible AWS buckets is huge for any businesses, small or large, so it is important for anybody working with digital assets to follow simple cyber hygiene rules".
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org