An unsecured database left exposed on an Amazon server, possibly for two years, revealed names, addresses, credit scores and parts of Social Security numbers (SSNs) of up to one million applicants for car loans, according to a report on Threatpost.
The exposed database belonged to Alliance Direct Lending Corp., a California-based auto loan company, and was detected earlier this week by the Kromtech Security Research Center, which was investigating vulnerabilities of Amazon Web Services (AWS).
“We discovered this after noticing a few exposed [Amazon server] buckets with -dev iterations," Bob Diachenko, security communications specialist with Kromtech, told Threatpost. "Technically, anybody could have guessed the name and put that into URL line.”
The exposed information stored on the cloud server was in clear text, Diachenko added.
Full SSNs of several dozen loan applicants were revealed in recorded phone conversations on the database as well.
Data belonging to customers was spread across 114 car dealerships throughout the U.S.
Jaime Alefosio, president of Alliance Direct Lending Corp., told Threatpost she was investigating the incident, but had no further comment.
Kromtech could not confirm whether any third party had accessed the data, but reported that – working with Alliance Direct Lending – the data had been secured late Tuesday.