[BreachExchange] Student loan company that stole millions from consumers leaks sensitive phone calls, SSNs, tax records

Destry Winant destry at riskbasedsecurity.com
Tue Jun 9 09:43:41 EDT 2020


Researchers at Cybernews.com recently discovered an unsecured Amazon
Simple Storage Service (S3) bucket that contains more than 55,000 call
recordings between loan support workers and American consumers with
outstanding student loans.
This open database also contains more than 25,000 PDFs, many of which
are scans or photos of proof of income (such as pay receipts or tax
returns). Both the proofs of income and call recordings contain the
loaners’ social security numbers, among other sensitive personal data.

The database seems to belong to members of the Student Advocates
Group, which an FTC press release named as a student loan debt relief
scheme that “bilked millions out of consumers by charging illegal
upfront fees and falsely promising to lower or even eliminate
consumers’ loan payments or balances.”

Because the bucket contains sensitive data from people across the US,
including California residents, the bucket owner may have to pay
damages and penalties under the CCPA, since:

- The leaked data contains highly personal information (including
names plus social security numbers and tax ID numbers,)
- The data is both non-encrypted and non-redacted (all samples in this
article have been redacted by CyberNews)
- The leak is “a result of the business’s violation of the duty to
implement and maintain reasonable security procedures and practices
appropriate to the nature of the information.”
- Some of the call recordings take place in early- to mid-2018.
However, one proof of income document was submitted on January 21,

On April 29, we unsuccessfully tried to contact representatives from
the Student Advocates Group. We then contacted Amazon on May 7, and
they were able to secure the indexing on May 9. Unfortunatley, the
database files were still accessible when we checked on May 21, and
Amazon finally secured the database files on May 26.

What data is in the bucket?
There are two groups of files in the unsecured S3 bucket:

- call recordings (as both MP3 and WAV files)
- PDF scans of documents
- Call recordings
- The bucket contains a total of 56,422 call recordings, which is
composed of 51,879 MP3 files and 4,543 WAV files.

Of the recordings we analyzed, most of them seem to have taken place
in early- to mid-2018. The recordings were apparently made for quality
control, but they are not censored. One support agent called them a
“two-minute quality control recording” that served as a “financing
verification call recording.” However, many of the recordings are
roughly 5 minutes, with one phone call lasting more than 33 minutes.

Some phone calls, featuring what appears to be the same support agent,
record before and after this “quality control recording” portion, even
though recording is supposed to begin only after the agent confirms
the recording (“This call is being recorded for quality assurance
purposes. Is that OK?”).

At the beginning of the calls, the support agent confirms the
following details with the consumer:

- name
- social security number
- date of birth
- address
- phone number

Other calls also include:

- credit card number, CVV and expiration date
- banking information (account and routing numbers)
- PIN numbers
- emails
- occupation and employer information
- total loan amount
- emergency contact names and relationships
- Some loan support agents help consumers set up security questions
(like the name of their high school mascot, their first pet, etc.) so
that the consumer can verify that the call is coming from the loan

The recordings also reveal information about outstanding loan amounts,
and monthly payments that the caller is agreeing to. Based on the
above call format, it’s likely that there are roughly 56,500 social
security numbers being leaked in this database.

The documents
The bucket contains 25,143 PDFs. The documents in question often serve
as proof of income that the support agents regularly ask for in the
call recordings.

These documents are likely needed so that the loan company can apply
for the free income-driven government repayment plans, such as the
PAYE (Pay As You Earn Repayment Plan) or IBR (Income-Based Repayment

The PDFs include tax returns:

tax return documents
Income-driven repayment requests:

Income-driven repayment requests
Salary statements:

Direct deposit receipts:

All of these are sensitive documents, and some contain multiple social
security numbers.

Who owns the bucket?
All of the calls reference Equitable Acceptance Corporation as a
third-party lender, which led us to believe that they are the owner of
the bucket. However, in one of the calls, the loan support agent
provides a customer a phone number connected to the Progress Advocates
Group LLC (PAG), a company that offers “student loan consolidation

PAG is related to the Student Advocates Group debt relief scheme,
which the FTC claims stole millions of dollars from American consumers
by misleading them about its ability to lower their student loan debt.

According to this FTC complaint [pdf], PAG is part of a group of
companies that operated “a nationwide debt relief telemarketing scam
preying on thousands of consumers struggling with student loan debt.”

For simplicity, we call this group of companies the Student Advocates
Group Scheme (SAGS). This group involved the following companies:

- Progress Advocates Group, LLC
- Student Advocates Team, LLC
- Student Advocates Group, LLC
- Assurance Solution Services, LLC
- Equitable Acceptance Corporation (not in SAGS, but it provided
financing. In one call recording, the support agent says that EAC is a
“finance company helping us finance you.”)
- Based on the FTC complaint, the SAGS scam involved the various LLCs
contacting and convincing struggling consumers that SAGS can help them
lower or eliminate their student loan debt. For their services, SAGS
charged consumers up to $1,400. However, the US government makes these
services available for free to consumers.

Because most of these consumers are not able to pay the deposit (up to
$1,400) upfront, SAGS allows them to pay the fees by financing with
Equitable Acceptance Corporation (EAC). EAC would then charge these
struggling consumers roughly $40/month for months or years, since the
financing came with high 20.99% interest rates:

interest rates
Since late 2019, EAC has been banned from engaging in debt relief
products and services [pdf], or misrepresenting its products and
services. In New York, EAC was banned from collecting on any of its
high-interest scam loans, as well as from financing debt relief
products or services in the state. EAC is also engaged in other
student loan scam complaints.

However, the FTC’s case against the SAGS companies is still pending.
Nonetheless, this unsecured S3 bucket will be another blow to the
infamous debt relief group of companies.

Who had access?
While at the moment it is unknown for how long the data has been left
unprotected, it is possible that the data has been accessed by other
people, possibly bad actors, due to the following two reasons:

The earliest confirmed data goes back to 2018
It is very easy to access unsecured Amazon S3 buckets, as long as you
know where to look
For that reason, it is best to assume that consumers who were
customers of EAC or the SAGS group should check that their identities
haven’t been stolen, or their financial information used.

What’s the impact?
The price of social security numbers in combination with names and
other details can grab good prices on the black market. One PCMag
article pits it at $60-$80, while our own scans of the black market
can put this data at $5 a piece.

With a likely 55,000 social security numbers contained in this bucket,
that would put the value of this leak at $275,000-$4.4 million.

Besides selling this data, with social security numbers bad actors can:

- take out loans in your name
- apply for credit cards
- collect tax refunds
- collect benefits and income
- commit crimes
- set up phone numbers, websites and residences
- use your health insurance
- Seeing as some phone calls contained full credit card details, bad
actors can also make unauthorized purchases. All of this data can also
be used to launch very convincing phishing campaigns.

We identified members of the Student Advocates Group as the owner of
the database and attempted to notify the company about the leak.
However, there was no visible contact information on any of the
websites associated with the group, so we attempted to contact Student
Advocates representative on LinkedIn on April 29, 2020. However, we
received no answer.

On May 4, we reached out to Amazon to help them secure the bucket.
After providing them with more information on May 7, they were able to
secure the bucket on May 9, and it appeared to no longer be accessible
to the outside.

However, on May 21 we noticed that files within the bucket were
accessible, as we could download the same types of files (audio
recordings and documents). We notified Amazon again the same day, and
they were able to secure the files on May 26.

More information about the BreachExchange mailing list