- Researchers discover large databases during routine analysis of available indexes
- Database contained sensitive data on more than 1.6 million Kapital customers
- The company has yet to close the archive
A Mexican fintech startup has been found with a vast database full of sensitive customer data wide open on the internet, available to anyone who knows where to look.
Security researchers from Cyber news found the database in early September 2024 after a routine search of publicly available indexes.
The database, owned by a company called Kapital, contained sensitive data on 1.6 million Mexicans, including voter IDs and selfies.
Database still available online
Mexico City-based Kapital specializes in serving small and medium-sized businesses (SMEs) with limited access to bank credit and offers various financial services, such as credit cards or loans, and has approximately 80,000 customers in the region, according to Fintech nexus.
“The documents are an integral part of voting, identity verification and access to various services. Their exposure jeopardizes the immediate security and privacy of individuals and could have negative financial consequences,” the Cybernews team said in its article.
When it comes to the financial implications, it was explained that the data could be used in wire fraud, identity theft and similar money-related crimes: “Threat actors can easily obtain sensitive information and misuse it for identity theft. Criminals may attempt to create fraudulent accounts or gain unauthorized access to existing accounts,” the researchers warned. “Financial fraud can lead to significant financial losses and damaged credit scores.”
To make matters worse, Capital doesn’t seem to care that much. Cybernews claims to have contacted them “dozens” of times, to no avail. The country’s Computer Emergency Response Team (CERT) was also informed. But by the time the researchers published their report, which was on November 6, the database was still active, three months after the initial discovery.
Misconfigured cloud databases remain one of the leading causes of data breaches and breaches, exposing millions of customer data every month.