DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

EXCLUSIVE: Creditmate.in developer’s goof left 19,000 consumers’ credit reports unsecured

Posted on August 2, 2018 by Dissent
By Dissent Doe and Lee Johnstone

On July 27, an independent researcher known as “Flash Gordon” (@s7sins on Twitter) contacted DataBreaches.net and Lee Johnstone to report that during a routine keyword search on Google, he had found numerous credit reports from Indian consumers exposed.

Identifying the owner of the database was not easy in this case, but Lee ultimately determined that CreditMate.in was the likely owner of the database.

CreditMate is the website operated by Urja Money Private Limited,  a financial technology company that provides services to various banking and financial services companies and non-banking financial companies such as Optimus Finance Limited. Urja Money provides these services to Optimus Financial Ltd through CreditMate.  For its part, CreditMate.in offers to help consumers get loans to purchase motorbikes (“two-wheeled bikes”) or used cars.

CreditMate accesses the TransUnion CIBIL credit reporting database to obtain reports on potential customers for its customers like Optimus Financial Ltd.  To be clear:  the database was not TransUnion’s database. Nor was the IP address TransUnion CIBIL’s IP address. The IP address and database were CreditMate’s.

The exposed files contained 4,717 reports of connecting to CIBIL credit reporting service, and 18,913 JSON reports with 7277 email addresses. The credit reports were from 2016 – the present.

Because the entities involved have acknowledged and confirmed the situation and because we do not want to reveal any internal structures that could be misused by criminals, we will not be posting any redacted screenshots of the exposed files. But similar to credit reports in the U.S., CIBIL reports contain a wealth of personal and financial information, and the exposed reports contained data fields such as:

  • member reference number
  • enquiry number
  • enquiry purpose
  • amount of loan being sought
  • full name
  • date of birth
  • gender
  • income tax ID number (PAN)
  • passport number
  • driver’s license number
  • universal ID number
  • 
telephone number
  • 
email address
  • employment information
  • employment income
  • CIBIL 
credit score
  • residential address
  • office address
  • payment history of other loans/credit cards

On July 29, DataBreaches.net sent email notification to CreditMate.in executives, with copies to Optimus Financial Ltd and TransUnion CBIL executives.

In response to the notification, we received a detailed and appreciative statement from Jonathan Bill, CEO for CreditMate, who reported that within hours of receiving our email, they had secured the data and started investigating what had happened. They found, in part, that:

  • At no point was there any direct access to TransUnion CIBIL systems or databases, a point which was confirmed by TransUnion CIBIL’s Chief Operating Officer.
  • CreditMate secures data and access to it by IP whitelisting and key management. The IP in question was an internal IP used for storing responses that we received from the credit bureau.
  • During testing and development of new features, one of their developers left the site open after briefly moving it outside of whitelisted area. The error went undetected until DataBreaches.net notified them.
  • A review of their logs indicated that apart from researchers’ access, “no external compromise was made and any of Google’s crawled data has been deleted.”

CreditMate will be following up by implementing additional automated security measures and will appoint an external agency to conduct a full data security audit, Bill informs DataBreaches.net. They will also be proactively notifying customers, even though they have no reason to believe that data has been compromised.

We also received a statement from TransUnion CIBIL’s Chief Operating Officer, who after noting that it wasn’t their system or database where the problem occurred, informed us that they estimated that 12,500 records were exposed, a number that does not match our research.

Of note,  their COO writes:

In order to protect consumers, pending outcome of the investigation, TransUnion CIBIL has suspended Optimus’ access. We take the protection of consumer and customer information extremely seriously and will work closely with Optimus / CreditMate on their investigations and will take all steps necessary to protect consumers.

As of the time of this publication, no statement was received from Optimus Financial Ltd.

Category: Breach IncidentsBusiness SectorExposureNon-U.S.

Post navigation

← Forum post claims breach of 850k users’ information; leak from recruitmilitary.com?
Was LabMD Hacked? A Key Issue in Lawsuit Against FTC Lawyers →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • ConnectWise suspects cyberattack affecting some ScreenConnect customers was state-sponsored
  • Possible ransomware attack disrupts Maine and New Hampshire Covenant Health locations
  • HHS OCR Settles HIPAA Security Rule Investigation of BayCare Health System for $800k and Corrective Action Plan
  • UK: Two NHS trusts hit by cyberattack that exploited Ivanti flaw
  • Update: ALN Medical Management’s Data Breach Total Soars to More than 1.8 Million Patients Affected
  • Russian-linked hackers target UK Defense Ministry while posing as journalists
  • Banks Want SEC to Rescind Cyberattack Disclosure Requirements
  • MathWorks, Creator of MATLAB, Confirms Ransomware Attack
  • Russian hospital programmer gets 14 years for leaking soldier data to Ukraine
  • MSCS board renews contract with PowerSchool while suing them

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Home Pregnancy Test Company Wins Dismissal of Pixel Wiretapping Suit
  • The CCPA emerges as a new legal battleground for web tracking litigation
  • U.S. Spy Agencies Are Getting a One-Stop Shop to Buy Your Most Sensitive Personal Data
  • Period Tracking App Users Win Class Status in Google, Meta Suit
  • AI: the Italian Supervisory Authority fines Luka, the U.S. company behind chatbot “Replika,” 5 Million €
  • D.C. Federal Court Rules Termination of Democrat PCLOB Members Is Unlawful
  • Meta may continue to train AI with user data, German court says

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.