By Dissent Doe and Lee Johnstone
On July 27, an independent researcher known as “Flash Gordon” (@s7sins on Twitter) contacted DataBreaches.net and Lee Johnstone to report that during a routine keyword search on Google, he had found numerous credit reports from Indian consumers exposed.
Identifying the owner of the database was not easy in this case, but Lee ultimately determined that CreditMate.in was the likely owner of the database.
CreditMate is the website operated by Urja Money Private Limited, a financial technology company that provides services to various banking and financial services companies and non-banking financial companies such as Optimus Finance Limited. Urja Money provides these services to Optimus Financial Ltd through CreditMate. For its part, CreditMate.in offers to help consumers get loans to purchase motorbikes (“two-wheeled bikes”) or used cars.
CreditMate accesses the TransUnion CIBIL credit reporting database to obtain reports on potential customers for its customers like Optimus Financial Ltd. To be clear: the database was not TransUnion’s database. Nor was the IP address TransUnion CIBIL’s IP address. The IP address and database were CreditMate’s.
The exposed files contained 4,717 reports of connecting to CIBIL credit reporting service, and 18,913 JSON reports with 7277 email addresses. The credit reports were from 2016 – the present.
Because the entities involved have acknowledged and confirmed the situation and because we do not want to reveal any internal structures that could be misused by criminals, we will not be posting any redacted screenshots of the exposed files. But similar to credit reports in the U.S., CIBIL reports contain a wealth of personal and financial information, and the exposed reports contained data fields such as:
- member reference number
- enquiry number
- enquiry purpose
- amount of loan being sought
- full name
- date of birth
- gender
- income tax ID number (PAN)
- passport number
- driver’s license number
- universal ID number
- telephone number
- email address
- employment information
- employment income
- CIBIL credit score
- residential address
- office address
- payment history of other loans/credit cards
On July 29, DataBreaches.net sent email notification to CreditMate.in executives, with copies to Optimus Financial Ltd and TransUnion CBIL executives.
In response to the notification, we received a detailed and appreciative statement from Jonathan Bill, CEO for CreditMate, who reported that within hours of receiving our email, they had secured the data and started investigating what had happened. They found, in part, that:
- At no point was there any direct access to TransUnion CIBIL systems or databases, a point which was confirmed by TransUnion CIBIL’s Chief Operating Officer.
- CreditMate secures data and access to it by IP whitelisting and key management. The IP in question was an internal IP used for storing responses that we received from the credit bureau.
- During testing and development of new features, one of their developers left the site open after briefly moving it outside of whitelisted area. The error went undetected until DataBreaches.net notified them.
- A review of their logs indicated that apart from researchers’ access, “no external compromise was made and any of Google’s crawled data has been deleted.”
CreditMate will be following up by implementing additional automated security measures and will appoint an external agency to conduct a full data security audit, Bill informs DataBreaches.net. They will also be proactively notifying customers, even though they have no reason to believe that data has been compromised.
We also received a statement from TransUnion CIBIL’s Chief Operating Officer, who after noting that it wasn’t their system or database where the problem occurred, informed us that they estimated that 12,500 records were exposed, a number that does not match our research.
Of note, their COO writes:
In order to protect consumers, pending outcome of the investigation, TransUnion CIBIL has suspended Optimus’ access. We take the protection of consumer and customer information extremely seriously and will work closely with Optimus / CreditMate on their investigations and will take all steps necessary to protect consumers.
As of the time of this publication, no statement was received from Optimus Financial Ltd.