Retail

vpnMentor spots a data breach in Credit Fair, Chqbook Database


Bengaluru: A website focused on virtual private networks, vpnMentor, discovered a breach in the databases of financial services firms Credit Fair and Chqbook on July 24 and alerted both companies to the risk, ET has learnt.

Credit Fair offers customers access to small personal loans, while Chqbook lets customers compare personal finance products such as loans and credit cards, based on their financial status.

Both Credit Fair and Chqbook require customers to provide considerable personal and financial details on their websites.

“The databases were unencrypted and completely unsecured, creating a huge risk for customers of both companies,” vpnMentor told ET. The breaches were discovered by Noam Rotem and Ran Locar from the firm’s research team, it said, sharing the data related to the breach exclusively with ET.

vpnMentor, which had earlier reported multiple such incidents globally, said these breaches were found as a result of a web mapping project.

“Our hackers use port scanning to examine particular IP blocks and test open holes in systems for weaknesses. They examine each hole for data being leaked. Our team discovered that both Credit Fair and Chqbooks’ entire databases were unprotected and unencrypted. The companies use an Elasticsearch database, which is ordinarily not designed for URL use,” it said.

Through Credit Fair’s unsecured database, vpnMentor said it accessed personal details like names, phone numbers, addresses, birth dates, PAN and Aadhaar numbers, IP addresses and more. Altogether, it accessed 44,000 customer records. vpnMentor reported the vulnerability to the Mumbai-based firm, but had not yet received a response, it said.

Credit Fair did not respond to an email on the developments. ET could not independently verify whether its website had been breached.

For Chqbook, vpnMentor discovered that it could access personal details, along with details of cards and payments, monthly income, employment profile, user ID among others. The VPN site said Chqbook secured the database leak within 48 hours of reporting.

Vipul Sharma, founder and CEO of Chqbook, told ET, “We have received an email from a VPN company and are investigating the same and are in touch with them. Chqbook takes pride in our security layers and measures we have on the platform, and would like to put on record that customer data is intact and we have conducted checks for the same internally.”

Data breaches in India cost organisations about Rs 12.8 crore on average between July 2018 and April 2019, according to an IBM-sponsored report. The average total cost of data breaches globally was $3.92 million (about Rs 27.03 crore), with the average size of the breach pegged at 25,575 records, as per the report.

Data breaches allow criminals to develop identity frauds, hack and take over accounts, phish or extort and indulge in other illegal activities. By accessing financial details, a user can be held to ransom, or face extortion.

Advertisers and scam artists can also use data breaches to create precisely targeted, manipulative and exploitative ad campaigns on social media to push products or services on to vulnerable customers.





READ SOURCE

Leave a Reply

This website uses cookies. By continuing to use this site, you accept our use of cookies.