NCF hack – Personal Data Totaling Around 100GB of Client Information Exposed Online

National Credit Federation

On account of a faulty server unit, the National Credit Federation left client data of an estimated 40,000 customers out in the open.

Over 10,000 U.S. citizens are left out in the open, with personal data such as credit reports and bank account & social security numbers publicly displayed on the Internet by the NCF (short for the National Credit Federation). The credit repair service operating out of Florida publicized client data up to the 100-GB mark by no fault of their own. The culprit is a cloud storage server owned by digital giant Amazon, exposing its clients to such crimes as hacking, financial privacy breaches, and identity theft.

Chris Vickery, cyber risk director at UpGuard, spotted he NCF’s unstable server, known as an S3 bucket in the tech world, on October 3rd of this year. In recent times, many such leaky buckets have determined loss of data, publicizing immense amounts of traffic and information from different firms, companies, and even governmental authorities. For example, quite recently a significant amount of classified intelligence owned by the NSA and the U.S. military was left in the open on account of one such S3 bucket.

In the recent leak, the NCF’s vulnerable information included sensitive client details, including, but not limited to, biographical details (addresses, names, and birthdates), social security data, bank account numbers, credit card numbers, reports, tax returns. Similar service providers TransUnion, Experian, and Equifax, were also affected by the data leak, their customers’ credit reports being exposed in the thousands.

Dan O’Sullivan, a cyber resilience analyst working for the same UpGuard, covered the matter in a blogpost, confirming that the targeted repository of the NCF opened up a lot of very private customer information, stored in credit blueprints for each client.

The analyst continues by describing the theft of videoclips owned by the NCF that contain the screen-logged archives of employee computers that were in the process of accessing client data in order to explain their meaning to them. This hoard of information can be employed by cybercriminals to engage in identity theft and to render insecure the finances of clients operating with the NCF, O’Sullivan writes.

As the breach was not immediately traced, the compromised storage unit kept receiving and recording data until its use was discontinued, giving any lurking hacker the opportunity to gather fresh batches of potential targets by doing nothing but waiting for an update.

UpGuard research teams have been able to estimate a number of NCF clients in the direct impact of the leak – approximately 40,000. At the time of this writing, the amount of time of exposure of the breached S3 bucket is yet to be determined, as well as the potential of third-party wrongdoer access to the data.