- Resaearchers uncover large database during routine analysis of available indexes
- Database held sensitive data on more than 1.6 million Kapital customers
- Company is still yet to close the archive
A Mexican fintech startup has been found holding a large database full of sensitive customer data wide open on the internet, available for anyone who knows where to look.
Security researchers from Cybernews found the database in early September 2024 after a routine investigation of publicly available indexes.
The database, belonging to a company called Kapital, contained sensitive data on 1.6 million Mexicans, including voter IDs and selfies.
Database still available online
Mexico City-based Kapital specializes in serving small and medium-sized businesses (SMB) with limited access to bank credit, providing different financial services, such as credit cards, or loans, and counts roughly 80,000 customers in the region, according to Fintech Nexus.
“The documents are integral to voting, identity verification, and accessing various services. Their exposure compromises individuals’ immediate safety and privacy and can have negative financial consequences,” the Cybernews team noted in its writeup.
When it comes to financial consequences, it was explained that the data can be used in wire fraud, identity theft, and similar money-related crime: “Threat actors can easily obtain and misuse sensitive information for identity theft. Criminals might attempt to create fraudulent accounts or gain unauthorized access to existing ones,” the researchers warned. “Financial fraud could lead to substantial monetary loss and damaged credit scores.”
To make matters worse, Kapital doesn’t seem to care much. Cybernews claims to have reached out “dozens” of times, to no avail. The country’s Computer Emergency Response Team (CERT) was also notified. However, by the time the researchers published their report, which was on November 6, the database was still up and running, three months after initial discovery.
Misconfigured cloud databases continue being one of the key causes of data breaches and leaks, exposing millions of customer records every month.
- Hundreds of Google Firebase websites might have leaked data online
- Here’s a list of the best antivirus
- These are the best endpoint protection tools right now