Have you ever received a phone call from a seemingly legitimate vendor, who knew all your personal and financial information, and then requested an advance payment or financial assistance from you? If you have, you know how terrifying this situation can be. It only takes one small mistake to send your finances into disarray.
But you are not alone in this struggle. Jaramiah Fowler, a cybersecurity expert, helped avoid this nightmare scenario by his vigilance. Fowler discovered a database containing a million consumers’ personal and financial information, including names, email addresses, postal addresses, phone numbers, payment purposes, sums paid, due dates, and tax ID numbers. The database had invoices from people and companies who paid for their goods and services using an app.This database belonged to NorthOne Bank, a FinTech company used by over 320,000 American businesses
About NorthOne
NorthOne is a popular FinTech company that offers integration options with various services, including but not limited to Airbnb, Cash App, Lyft, PayPal, Quickbooks, Shopify, Square, Stripe, Uber, Venmo, and Wave. It is worth noting that NorthOne is not a full service bank. Banking services to NorthOne Bank are provided by The Bancorp Bank.
The Incident
The findings were first reported on January 19th, 2023 and the database remained unsecured until January 31st, 2023. It is unclear how long these records were exposed or who else may have had access to the database. It should also be noted that Bancorp Bank is not at fault or responsible for this breach.
The database allowed anyone with an internet connection and the database’s URL to see or download the .PDF documents. There were basic security controls preventing a full indexing of all documents. There were over a million files in the database that were marked as “production”. In a random sampling of 1,000 invoices, Jeremiah observed invoice amounts ranging from as low as $60 to over $10,000 for various services. These included home repairs, pet services, food and beverage, and even medical care.
Invoices in the exposed Dataset
This is how the data appeared in the compromised dataset. You can clearly see “Powered by NorthOne” in the footer of the image.
How Customers can be targeted ?
The data in the unprotected PDFs contains Tax Identification Number (TIN) along with other personal details of the customers. This TIN can be exploited to file fraudulent federal tax returns and claim refunds from the Internal Revenue Service (IRS).
Someone can misuse the data by using the Employee Identification Number (EID) to apply for loans. Another challenge could be to prove that the application was not authorised.
In order to acquire customers’ trust, a con artist may also pose as a legitimate financial organisation and cite transaction receipts. Consumers’ personal information can be used by other parties to influence them and reveal sensitive information.
What went wrong?
It seems that NorthOne had a database with no protection on. You can learn how to safeguard your database, code repositories, and code infrastructure with PureAUTH‘s Just-in-Time Access Provisioning. You can learn more in our blog titled Know Your Code Infrastructure.