A California financing company exposed up to 1 million records online that contained names, addresses, fragments of Social Security numbers and data related to vehicle loans, according to a researcher’s report.
The data comes from Alliance Direct Lending, which is based in Orange, California, writes Bob Diachenko, who works with the security research team at Kromtech Alliance Corp. of Germany. Alliance Direct Lending specializes in refinancing auto loans at a lower interest rate, and it also has partnerships with dealers across the country.
“It is unclear if anyone other than security researchers accessed it or how long the data was exposed,” Diachenko writes in a blog post.
Security researchers, as well as hackers, have had a field day lately exposing configuration mistakes organizations have made when setting up databases. Despite a string of well-publicized findings, the errors are still being made, or at least, not being caught. Aside from breaches, other organizations have seen their data erased and held for ransom, with notes left inside the databases asking for bitcoins (see Database Hijackings: Who’s Next?).
Kromtech notified Alliance, which has since taken the data offline, Diachenko writes. Information Security Media Group’s efforts to reach Alliance officials were not immediately successful. Under California’s mandatory data breach notification law, Alliance would be required to report the breach.
“The IT administrator claimed that it had only recently been leaked and was not was not up for long,” Diachenko writes. “He thanked us for the notification and the data was secured very shortly after the notification call.”
Researchers came across the data while looking into Amazon Web Services Simple Storage Service (S3) “buckets,” which is the term for storage instances on the popular cloud hosting service. They were specifically hunting for buckets that had been left online but required no authentication.