Borrowers' personal data exposed in massive data leak

An ElasticSearch server instance that was left open on the Internet without a password contained sensitive financial information about loans from Indian and African financial services.

The massive data leak, which was disclosed by cybersecurity experts from UpGuard, amounted to 5.8GB and consisted of a total of 1,686,363 records.

Those records included personal information like name, loan amount, date of birth, account number, and more. A total of 48,043 unique email addresses were in the collection, some of which were for the product administrators, corporate clients, and collection agents assigned to each case.

The exposed instance, used as data storage for a debt collection platform called ENCollect, was detected on Feb. 16.

ENCollect is billed as the "world's best collector's app," allowing collection agents to track loan payments, initiate legal actions as well as offer methods for delinquency management, settlements, and repossession.

The dataset encompassed 114,747 mailing addresses, 105,974 phone numbers, and 157,403 loan amounts. A subset of these records also revealed additional information such as contact details of co-applicants, family members, and other personal references.

Further, 565 schools in New York, including more than 1 million students, were among those whose private student data was impacted during a hacker attack on Illuminate Education’s systems.