[BreachExchange] 425GB of data linked to MCA Wizard app found exposed on unsecured database

Destry Winant destry at riskbasedsecurity.com
Thu Mar 19 10:05:24 EDT 2020


https://siliconangle.com/2020/03/17/425gb-data-linked-mca-wizard-app-found-exposed-unsecured-database/

A large amount of confidential data relating to two financial
companies has been found exposed online in the latest case of a
failure to secure a cloud-hosted database.

The exposure was discovered by security researchers at vpnMentor and
publicized Tuesday. It’s believed to be linked to MCA Wizard, an iOS
and Android app developed by Advantage Capital Funding and Argus
Capital Funding.

The database was 425 gigabytes in size and included more than 500,000
highly sensitive documents such as private legal and financial files.
Those files included credit reports, bank statements, legal documents,
contracts, driver’s license copies, tax returns, purchase orders and
receipts, Social Security information and more.

The security researchers attempted to reach out to both companies with
no success in December before opting to contact cloud host Amazon Web
Services Inc. Jan. 7. The database was finally taken offline Jan. 9.

“This is another unfortunate instance of an AWS bucket left open
without any security protocols, leaving extremely sensitive legal and
financial documents unprotected online — accessible to anyone
worldwide,” James Carder, chief security officer and vice president of
security intelligence company LogRhythm Inc., told SiliconANGLE. “In
2020, businesses are increasingly moving information to the cloud for
cost efficiency, increased flexibility, and improved accessibility.
However, it is important to understand the gravity of what it means to
move this type of information to the cloud and be prepared to use
everything at your disposal to protect it.”

Anurag Kahol, chief technology officer of cloud access security broker
firm Bitglass Inc., noted that the leak could have been avoided by
using data-centric security tools that ensure proper configuration of
cloud services, deny unauthorized access, enforce real-time access
control and the like. “Companies must deploy security solutions that
provide the breadth and depth of capabilities needed in order to
maintain complete visibility and control over data in the cloud,” he
said.

Chris DeRamus, chief technology officer of cybersecurity company
DivvyCloud Corp., said that it’s unclear how long the database was
left open, and threat actors could have already accessed the
personally identifiable information and shared it on dark web
marketplaces for a quick profit.

“Especially for financial organizations that manage sensitive
information and capital, a proactive approach to ensuring data is
secure is necessary,” DeRamus said. “Automated cloud security
solutions can detect misconfigurations in real-time and trigger
instant remediation  so that vulnerabilities are identified and fixed
within seconds and cloud resources remain secure.”


More information about the BreachExchange mailing list