An ElasticSearch instance was opened on the Internet with no password. It contained financial information about Indian and African loans.
The leak, which was discovered by researchers from information security company UpGuard, amounted to 5. 8GB and consisted of a total of 1,686,363 records.
“Those records included personal information like name, loan amount, date of birth, account number, and more,” UpGuard said in a report shared with The Hacker News. “A total of 48,043 unique email addresses were in the collection, some of which were for the product administrators, corporate clients, and collection agents assigned to each case. “
The exposed instance, used as data storage for a debt collection platform called ENCollect, was detected on February 16, 2022. The leaky server has since been rendered non-accessible to the public as of February 28 following intervention from the Indian Computer Emergency Response Team team (CERT-In).
ENCollect is billed as the “world’s best collector’s app,” allowing collection agents to track loan payments, initiate legal actions as well as offer methods for delinquency management, settlements, and repossession.
UpGuard stated that the loans were originated from Lendingkart and IndiaLends. Shubh Loans(MyShubhLife), Centrum (Rosabo) and Accion. The leaked information included personal information about the borrowers.
Furthermore, the dataset encompassed 114,747 mailing addresses, 105,974 phone numbers, and 157,403 loan amounts. A subset of these records also revealed additional information such as contact details of co-applicants, family members, and other personal references.
“Some records contained overdue amounts, the type and length of the loan, and internal notes left by collection agency staff regarding loan repayments,” UpGuard said.
Although the misconfigured server has been secured, there are always chances that anyone with malicious intent may likely use the information to target users as part of scams or extortion schemes and even masquerade as loan collectors to target borrowers.
” The digitization of financial service provides many opportunities to improve processes such as debt collection but also presents unexpected risks in supply chains,” researchers stated. “Vendor solutions also create the risk for multiparty exposures when their data sets are sourced from several clients, as in this case. “