June 14, 2024

An ElasticSearch server instance that was left open on the Internet without a password contained sensitive financial information about loans from Indian and African financial services.

The leak, which was discovered by researchers from information security company UpGuard, amounted to 5.8GB and consisted of a total of 1,686,363 records.

“Those records included personal information like name, loan amount, date of birth, account number, and more,” UpGuard said in a report shared with The Hacker News. “A total of 48,043 unique email addresses were in the collection, some of which were for the product administrators, corporate clients, and collection agents assigned to each case.”

The exposed instance, used as data storage for a debt collection platform called ENCollect, was detected on February 16, 2022. The leaky server has since been rendered non-accessible to the public as of February 28 following intervention from the Indian Computer Emergency Response Team team (CERT-In).

ENCollect is billed as the “world’s best collector’s app,” allowing collection agents to track loan payments, initiate legal actions as well as offer methods for delinquency management, settlements, and repossession.

UpGuard said the loans originated from lending services such as Lendingkart, IndiaLends, Shubh Loans (MyShubhLife), Centrum, Rosabo, and Accion, with the leaked information also incorporating personal details associated with the borrowers.

Furthermore, the dataset encompassed 114,747 mailing addresses, 105,974 phone numbers, and 157,403 loan amounts. A subset of these records also revealed additional information such as contact details of co-applicants, family members, and other personal references.

“Some records contained overdue amounts, the type and length of the loan, and internal notes left by collection agency staff regarding loan repayments,” UpGuard said.

Although the misconfigured server has been secured, there are always chances that anyone with malicious intent may likely use the information to target users as part of scams or extortion schemes and even masquerade as loan collectors to target borrowers.

“The digitization of financial services provides many opportunities for efficiencies in processes like debt collection, but also creates unexpected risks in the supply chain,” the researchers said. “Vendor solutions also create the risk for multiparty exposures when their data sets are sourced from several clients, as in this case.”