National Credit Federation data leak: Over 100GB of sensitive customer data was left exposed online

Tens of thousands of Americans' critically sensitive data, such as social security numbers, bank account numbers, credit reports and more, were left freely exposed online by the National Credit Federation (NCF). The Florida-based credit repair service inadvertently exposed over 100GB of customer data via an unsecured Amazon cloud storage server, leaving thousands of its customers potentially vulnerable to identity and financial theft, as well as cyberattacks.

The credit repair service's leaky S3 bucket was discovered on 3 October by UpGuard's director of cyber risk research Chris Vickery. There have been numerous massive leaks caused by unsecured S3 buckets over the past year which have exposed incredibly large troves of data from various organisations. Most recently, classified US Army and NSA data was also left exposed, thanks to an unsecured S3 bucket.

In the NCF leak, the exposed data included information such as customers' names, addresses, scans of social security cards (exposing the actual social security numbers), credit reports, full credit card and bank account numbers, and more. Thousands of customer credit reports compiled by Equifax, Experian and TransUnion were also exposed in the breach.

"Content in the repository apparently created by NCF include personalised credit blueprints compiling a great deal of sensitive customer data in one form – everything from who owns a mortgage to how regularly a customer paid their credit card bills," UpGuard cyber resilience analyst Dan O'Sullivan wrote in a blog.

"Video files within the repository depict NCF employee computer desktops, recorded using a screen logging program, as an employee accesses customer records and explains the significance," O'Sullivan added. "The videos appear to be specially made for individual customers, and are rife with the depiction of personally identifiable information.

"All of this data could be easily used by malicious actors to steal identities and compromise the personal finances of NCF customers."

The leaky database was "continually updated" with new information until the firm was notified of the breach. This means that in the event that the S3 bucket was accessed by hackers, all they had to do was sit and wait for the database to be updated, providing them a fresh supply of victims.

According to UpGuard's researchers, around 40,000 NCF customers are estimated to have been impacted by the data leak. It is still unclear as to how long the S3 bucket was left exposed before it was discovered. It is also uncertain as to whether any malicious entities accessed the leaky database.

IBTimes UK has reached out to Vickery for further clarity on the matter and will update this article in the event of a response.