The Hacker News
reports that nearly 1.7 million records involving financial information from African and Indian financial services customers have been leaked as a result of an exposed ElasticSearch server
instance for the ENCollect debt collection platform.
Information exposed by the insecure server did not only include names, birthdates, and account numbers, but also 48,043 unique email addresses, 105,974 phone numbers, 114,747 mailing addresses, and 157,403 loan amounts, according to a report from UpGuard. UpGuard also noted that the server also leaked contact information from co-applicants and family members. While ENCollect has already secured the exposed database, malicious actors could leverage the leaked data in conducting future scams and extortion schemes, said researchers. "The digitization of financial services provides many opportunities for efficiencies in processes like debt collection, but also creates unexpected risks in the supply chain. Vendor solutions also create the risk for multiparty exposures when their data sets are sourced from several clients, as in this case," researchers added.