#Thousands of Borrowers' Data Exposed from ENCollect Debt Collection Service

-

 image

An ElasticSearch server instance that remained open on the Internet without a password contained sensitive financial information about loans from financial services providers in India and Africa. The leak discovered by researchers at 

 information security company UpGuard was 5.8 GB and consisted of a total of 1,686,363 records. 

 "These records contained personal information such as name, loan amount, date of birth, account number, etc.," UpGuard said in a report shared with The Hacker News. "The collection has a total of 48,043 unique email addresses, some of which were intended for their respective product managers, corporate customers, and collection personnel." Discovered in February 2022. .. The leaked server has not been open to the public since February 28, with the intervention of  the Indian Computer Emergency Response Team  (CERTIn). 

 ENCollect is called the "World's Best Collector App" that enables debt collectors to track loan payments, initiate legal action, and provide methods of delinquency management, settlement, and foreclosure. According to 

 Up-guard, the loan comes from lending services such as Lendingkart, IndiaLends, Shubh Loans (MyShubhLife), Centrum, Rosabo and Accion, and the leaked information also includes the borrower's personal information. 

 In addition, the dataset contained 114,747  addresses, 105,974 phone numbers, and 157,403 loan amounts. A subset of these records also included additional information such as co-applicant contact details, family members, and other personal references. 

 "Some records included internal notes  by collection agency employees regarding delinquency amounts, loan types and durations, and loan repayments," UpGuard said. 

 A misconfigured server is protected, but a malicious person could use that  information to target users as part of a fraud or extortion scheme and impersonate a loan collector targeting borrowers. There is always. 

 “Digitization of financial services offers many opportunities to increase the efficiency of processes such as debt collection, but it also poses unexpected risks to the supply chain,” researchers say. “Vendor solutions also carry the risk of multi-party exposure if the dataset is from multiple customers, as in this case.”

Comments

Post a Comment

Popular posts from this blog

#$1.5M phishing scam

-
Image
  The US Department of Justice has convicted a Nigerian national of participating in a business email compromise (BEC) scam worth $1.5 million. The Feds say Ebuka Raphael Umeti, 35, perpetuated the scam with two alleged partners in crime, using a combination of social engineering and malicious software to pull off the million-dollar BEC scheme. A BEC fraud involves phishing emails and deception to get businesses and organizations to send money or valuable data to attackers, usually over email. According to the DoJ, Umeti got involved in BEC scams as early as February 2016, when one of his alleged co-conspirators, fellow Nigerian national Franklin Ifeanyichukwu Okwonna, is said to have sent Umeti a phishing email template. The collaborators started to see success in 2018, siphoning $571,000 from a New York wholesaler and $400,000 from a Texan metal supplier. In the following years, the scammers started domain spoofing, signed up for VoIP numbers, and communicated over the gaming-focused
Read more

#Microsoft's AI boss thinks it’s perfectly OK to steal content if it's on the open web

-
Image
  Microsoft AI boss Mustafa Suleyman incorrectly believes that the moment you publish anything on the open web, it becomes “freeware” that anyone can freely copy and use. When CNBC’s Andrew Ross Sorkin asked him whether “AI companies have effectively stolen the world’s IP,” he said: I think that with respect to content that’s already on the open web, the social contract of that content since the ‘90s has been that it is fair use. Anyone can copy it, recreate with it, reproduce with it. That has been “freeware,” if you like, that’s been the understanding. Microsoft is currently the target of multiple lawsuits alleging that it — and OpenAI — are stealing copyrighted online stories to train generative AI models, so it may not surprise you to hear a Microsoft exec defend it as perfectly legal. I just didn’t expect him to be so very publicly and obviously wrong! I am not a lawyer, but even I can tell you that the
Read more

#This man used Fake Wi-Fi Scam on Domestic Flights

-
Image
  An Australian man has been charged with running a fake Wi-Fi access point during a domestic flight with an aim to steal user credentials and data. The unnamed 42-year-old "allegedly established fake free Wi-Fi access points, which mimicked legitimate networks, to capture personal data from unsuspecting victims who mistakenly connected to them," the Australian Federal Police (AFP) said in a press release last week. The agency said the suspect was charged in May 2024 after it launched an investigation a month earlier following a report from an airline about a suspicious Wi-Fi network identified by its employees during a domestic flight. A subsequent search of his baggage on April 19 led to the seizure of a portable wireless access device, a laptop, and a mobile phone. He was arrested on May 8 after a search warrant was executed at his home. The individual is said to have staged what's called an evil twin
Read more