DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

EXCLUSIVE: Creditmate.in developer’s goof left 19,000 consumers’ credit reports unsecured

Posted on August 2, 2018 by Dissent
By Dissent Doe and Lee Johnstone

On July 27, an independent researcher known as “Flash Gordon” (@s7sins on Twitter) contacted DataBreaches.net and Lee Johnstone to report that during a routine keyword search on Google, he had found numerous credit reports from Indian consumers exposed.

Identifying the owner of the database was not easy in this case, but Lee ultimately determined that CreditMate.in was the likely owner of the database.

CreditMate is the website operated by Urja Money Private Limited,  a financial technology company that provides services to various banking and financial services companies and non-banking financial companies such as Optimus Finance Limited. Urja Money provides these services to Optimus Financial Ltd through CreditMate.  For its part, CreditMate.in offers to help consumers get loans to purchase motorbikes (“two-wheeled bikes”) or used cars.

CreditMate accesses the TransUnion CIBIL credit reporting database to obtain reports on potential customers for its customers like Optimus Financial Ltd.  To be clear:  the database was not TransUnion’s database. Nor was the IP address TransUnion CIBIL’s IP address. The IP address and database were CreditMate’s.

The exposed files contained 4,717 reports of connecting to CIBIL credit reporting service, and 18,913 JSON reports with 7277 email addresses. The credit reports were from 2016 – the present.

Because the entities involved have acknowledged and confirmed the situation and because we do not want to reveal any internal structures that could be misused by criminals, we will not be posting any redacted screenshots of the exposed files. But similar to credit reports in the U.S., CIBIL reports contain a wealth of personal and financial information, and the exposed reports contained data fields such as:

  • member reference number
  • enquiry number
  • enquiry purpose
  • amount of loan being sought
  • full name
  • date of birth
  • gender
  • income tax ID number (PAN)
  • passport number
  • driver’s license number
  • universal ID number
  • 
telephone number
  • 
email address
  • employment information
  • employment income
  • CIBIL 
credit score
  • residential address
  • office address
  • payment history of other loans/credit cards

On July 29, DataBreaches.net sent email notification to CreditMate.in executives, with copies to Optimus Financial Ltd and TransUnion CBIL executives.

In response to the notification, we received a detailed and appreciative statement from Jonathan Bill, CEO for CreditMate, who reported that within hours of receiving our email, they had secured the data and started investigating what had happened. They found, in part, that:

  • At no point was there any direct access to TransUnion CIBIL systems or databases, a point which was confirmed by TransUnion CIBIL’s Chief Operating Officer.
  • CreditMate secures data and access to it by IP whitelisting and key management. The IP in question was an internal IP used for storing responses that we received from the credit bureau.
  • During testing and development of new features, one of their developers left the site open after briefly moving it outside of whitelisted area. The error went undetected until DataBreaches.net notified them.
  • A review of their logs indicated that apart from researchers’ access, “no external compromise was made and any of Google’s crawled data has been deleted.”

CreditMate will be following up by implementing additional automated security measures and will appoint an external agency to conduct a full data security audit, Bill informs DataBreaches.net. They will also be proactively notifying customers, even though they have no reason to believe that data has been compromised.

We also received a statement from TransUnion CIBIL’s Chief Operating Officer, who after noting that it wasn’t their system or database where the problem occurred, informed us that they estimated that 12,500 records were exposed, a number that does not match our research.

Of note,  their COO writes:

In order to protect consumers, pending outcome of the investigation, TransUnion CIBIL has suspended Optimus’ access. We take the protection of consumer and customer information extremely seriously and will work closely with Optimus / CreditMate on their investigations and will take all steps necessary to protect consumers.

As of the time of this publication, no statement was received from Optimus Financial Ltd.

Category: Breach IncidentsBusiness SectorExposureNon-U.S.

Post navigation

← Forum post claims breach of 850k users’ information; leak from recruitmilitary.com?
Was LabMD Hacked? A Key Issue in Lawsuit Against FTC Lawyers →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • McLaren provides written notice to 743,131 patients after ransomware attack in July 2024
  • A state forensics lab was leaking its files. Getting it locked down involved a number of people.
  • CoinMarketCap Hacked, Scrambles to Remove Malicious Wallet Verification Popup
  • Montana Attorney General launches investigation into Lee Enterprises data breach
  • AT&T gets preliminary approval for $177 million data breach settlement
  • Aflac notifies SEC of breach suspected to be work of Scattered Spider
  • Former JBLM soldier pleads guilty to attempting to share military secrets with China
  • No, the 16 billion credentials leak is not a new data breach — a wake-up call about fake news (Updated)
  • Tonga’s health system hit by cyberattack (1)
  • Russia Expert Falls Prey to Elite Hackers Disguised as US Officials

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data
  • US Judge Invalidates Biden Rule Protecting Privacy for Abortions
  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
  • 23andMe fined £2.31 million for failing to protect UK users’ genetic data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.