National Credit Federation Exposes Customer Data on AWS Cloud
National Credit Federation (NCF), a Tampa, FL-based consumer credit repair outfit, reportedly left 111 gigabytes of personal credentials belonging to thousands of customers exposed on an Amazon Web Services (AWS) cloud storage bucket. Perhaps discovery of this latest incident rings a bell? In recent days, word surfaced that 100 gigabytes of classified files together belonging to the NSA Defense Department Command and the U.S. Army Intelligence and Security Command (INSCOM) somehow showed up online for anyone to see.
Similar to the INSCOM bungle, this new episode was unearthed by security provider UpGuard on October 3, when cyber risk researcher Chris Vickery found an Amazon Web Services S3 cloud storage bucket configured for public access containing some 47,000 files, most of them PDF and text documents uncloaking the sensitive information of NCF customers. Anyone capable of accessing the appropriate URL had a goldmine just for the asking.
Numerous AWS customers — through no fault of Amazon and due to each customer’s own missteps — suffered similar data exposures in recent months. To help mitigate such risks, Amazon recently updated its cloud default settings and encryption options for customers.
Still, erroneous user settings could have caused major problems for NCF. The sitting-duck files include data cyber criminals covet:
- Documents submitted by customers to NCF providing their personal and financial details.
- “Personalized credit blueprints” and videos created by NCF for their customers.
- Customer credit reports from Equifax, Experian and TransUnion.
- Photographs and scans of customers’ driver’s licenses.
- Sensitive personal details such as full names, scans and photos of social security cards, birth dates, addresses, financial histories and mortgage ownership.
- Full customer bank account and credit card numbers.
“All of this data could be easily used by malicious actors to steal identities and compromise the personal finances of NCF customers,” wrote Vickery in a blog post.
UpGuard wasted no time in chastizing NCF for its apparent negligence to protect sensitive data for people in compromised financial straits. “A conservative estimate of the number of NCF customers affected by this exposure would be below forty thousand individuals, all of whom needed help in restoring their finances,” said Vickery. “In short, these are people who needed and asked for assistance in getting their lives back on track, and were repaid, through a process still unknown, by having the information they furnished revealed online.”
Should we call UpGuard alarmists or realists? Here’s what the cyber protector has to say about NCF: “The total lack of protection of these people’s data, the remarkably simple means held by any internet user to find and download the information, and the sensitivity of the information contained therein, speaks to the real challenges of fostering cyber resilience today.”
NCF drew criticism from IT security providers for its lack of security awareness. “This leak is yet another example of an organization that is in the dark about where its critical data is exposed,” said Manoj Asnani, Balbix product and design VP. “Unrestricted public access to critical servers should never have been allowed — but with the complexity and scale of the IT environment, some of the most obvious issues are missed by security professionals.”
Mike Schuricht, Bitglass product management VP, also weighed in: “AWS may have bolstered its native security features, but that doesn’t mean the frequency of data leaks will subside,” he said. “The real solution to limiting the impact of these leaks lies in securing the data itself.”