Skip to main content

DATA BREACH: 1m+ Financial Records Exposed in Data Incident Involving Fintech Company

1m+ Financial Records Exposed in Data Incident Involving Fintech Company
Syndicated By: Iain Fraser - Cybersecurity Journalist Gibraltar

13 April 2023

Cybersecurity researcher Jeremiah Fowler discovered and reported to WebsitePlanet a non-password protected database that contained a large number of PDF documents.

The PDF documents that were made public included invoices from both individuals and businesses who used an app to pay for products and services. The invoices contained names, email addresses and physical addresses, phone numbers, and more. In addition, the documents also included notes about what the payment was for, the total amount, due date, and some even contained tax information such as a tax id number.

Upon further research, it was identified that the database belonged to NorthOne Bank, a financial technology company that is used by over 320,000 American businesses (based on information on their website). It is worth noting that NorthOne is not a full service bank. Banking services to NorthOne Bank are provided by The Bancorp Bank, which is also a member of the Federal Deposit Insurance Corporation (FDIC), a government agency that provides deposit insurance to financial institutions. NorthOne Bank has offices in New York, USA and Toronto, Canada and its services are available throughout North America.

I immediately sent a responsible disclosure notification to NorthOne Bank of the discovery of the possible security concern. Subsequently, I was informed by the bank that they had “investigated and had resolved the issue and that there were no outstanding open issues”. I first reported the finding on January 19th, 2023 and the database remained unsecured until January 31st, 2023, after sending several followup messages, restricting the access to the database and thus to the .PDF documents. It is unclear how long these records were exposed or who else may have had access to the database, if anyone did. We imply no claims or accusations about NorthOne Bank’s security practices. Details provided here are based on the response I received from the bank and our intention is solely to promote better security measures and responsible handling of potential vulnerabilities. It should also be noted that Bancorp Bank is not at fault or responsible for this breach.

The database allowed anyone with an internet connection and the database’s URL to see or download the .PDF documents. There were basic security controls preventing a full indexing of all documents. I estimated that there were over a million files in the database that were marked as “production”. In a random sampling of 1,000 invoices, I observed invoice amounts ranging from as low as $60 to over $10,000 for various services. These included home repairs, pet services, food and beverage, and even medical care. Learn More /...

About Jeremiah Fowler

Jeremiah Fowler is a Security Researcher and co-founder of Security Discovery. Jeremiah began his career in security research in 2015 and has a mission of data protection. He has helped identify and secure the data of millions of people around the world. His discoveries have been covered in Forbes, BBC, Gizmodo, among others. Security and responsible disclosure are not only a passion, but a way of protecting our digital lives. Learn More /... 

Cybersecurity Journalist



Labels:
Location: Gibraltar

Comments

Post a Comment

Popular posts from this blog

CYBER BREACH: Data Breach Exposed Thousands of Pet Medical Records Including Owner Information

Tuesday, 5th December 2023 CYBER BREACH: Data Breach Exposed Thousands of Pet Medical Records Including Owner Information By Jeremiah Fowler - Website Planet  Syndicated By IainFraser.net/CYBER_Voice Daily Cyber Insights  Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to WebsitePlanet about a non-password protected database that contained over 56,000 records, including pet medical reports, DNA tests, pedigree history and other potentially sensitive information. As a long-time cyber security researcher, this is one of the most interesting discoveries I have ever encountered and a first for me.  I recently discovered a non-password protected database that contained records of thousands of dogs from around the world and included the information of their human owners. The publicly exposed cloud storage database contained a total of 56,624 documents in .PDF, .png, and .jpg formats with a total size of 25 GB. Upon further investigation, the database appeared...
Post a Comment
Learn More »

EUROPOL: International operation closes down Piilopuoti dark web marketplace

EUROPOL: International operation closes down Piilopuoti dark web marketplace  Syndicated By: Iain Fraser Cybersecurity Journalist Gibraltar - PRWire Channel IainFraser.net/PRWire Thursday 21st September 2023 In a significant victory against dark web criminals, the Finnish Customs (Tulli), together with European partners, has successfully taken down the dark web marketplace ‘Piilopuoti’.  Drugs and other illegal commodities were sold in large quantities on this Finnish-language platform which had been operating on the Onion Router (Tor) network since May 2022.  This successful action by the Finnish Customs was supported, among others, by the German Federal Criminal Office (Bundeskriminalamt) and the Lithuanian Criminal Police Bureau (Lietuvos kriminalinÄ—s policijos biuras). Europol’s European Cybercrime Centre coordinated the international activity and provided operational support and technical expertise.  The investigation is still ongoing as law enforcement worldwi...
Post a Comment
Learn More »

CYBER THREAT INTEL: AI - UK & US Spooks publish AI Development Guidance

Tuesday, 28th November 2023 CYBER THREAT INTEL: AI - UK & US Spooks publish AI Development Guidance Posted by: Iain Fraser - Cybersecurity Journalist Gibraltar via IainFraser.net/ Daily Cyber Insights CYBER THREAT INTEL: AI - UK & US Spooks publish AI Development Guidance The UK NCSC & US CISA have joint-published what they term as "security-focused guidance" for AI & ML developers and those who leverage AI/ML with their protocols and systems.  The Publication of Guidelines for Secure AI System Development (PDF),  apply to all types of AI/ML systems, regardless of whether built from wireframe up or added as a bolt-on on third-party resources, to address issues related to AI, cybersecurity, and critical infrastructure. Devised to be used in conjunction with existing Cybersecurity, Incident Response and Cyber Risk-Management protocols. The NCSC and CISA have said “Providers should implement security controls and mitigations where possible within their mode...
Post a Comment
Learn More »