Kreditech, a consumer finance startup that specializes in lending to “unbanked” consumers with little or no credit rating, is investigating a data breach that came to light after malicious hackers posted thousands of applicants’ personal and financial records online.
Earlier this month, a source pointed KrebsOnSecurity to a Web site reachable only via Tor, a software package that directs Internet traffic through a free, global network of relays. That page, pictured in screen shot to the right, included links to countless documents, scanned passports, drivers licenses, national IDs and credit agreements apparently taken from Kreditech’s servers.
The site announced that a group of hackers calling itself “A4” put the information online after finding “hundreds of gigabytes” of Kreditech’s documents, including what appear to be configuration files from the company’s Intranet and internal servers.
“The company, getting multimillion investments, probably decided to spend them for anything but security of their clients’ data,” the hacker group wrote. “As explain by a member of A4, not that the company’s security is at a low level, it is absent as such.All data to which the group А4 got access will be put online in open access although its curb price is rather considerable.”
Anna Friedrich, head of communications at the Hamburg, Germany-based lender, acknowledged that the company had an “isolated internal security incident” in November 2014, and that Hamburg police are investigating.
Friedrich said Kreditech believes the data was stolen not from customers but only from credit applicants. She added that Kreditech believes the information was leaked from within by someone who worked at the company — although she declined to say whether the suspect was a current or former employee.
“There is no access to any customer data,” Friedrich said. “This incident stemmed from a form on our Web site that was stored data in a caching system that deleted data every few days. What happened was that a subset of application data was affected. We are collaborating with the police, but unfortunately there is no more further information that I have to share. ”
Corey Wells, the 19-year-old security researcher from West Virginia who alerted this author to the compromise, said he discovered the breach after building a crawler to identify and index Web sites on the Tor network.
The hacker group didn’t say how it obtained the documents. Wells said the leaked data includes raw logs from a system that appears to have been running MongoDB, a cross-platform document-oriented database. Those logs include a date and time stamp of Aug. 19. 2014, suggesting the breach may have started seven months ago.
Wells said he doesn’t buy Kreditech’s version of events, and that files leaked from the company and posted for download from the Tor Web site suggest at least some were from existing customers.
“There are bank sums, amounts that are in the transaction and the amount left in the accounts,” Wells said. “Some of these look like people who already have accounts with them.”
Unlike traditional lenders, which rely heavily the applicant’s payment and credit history, Kreditech is one of several lenders tapping into social networking data to determine the risk of lending to people who have a tough time getting credit. Kreditech says it uses up to 15,000 data points when assessing an application for a loan.
The company recently secured some credit of its own, receiving a $200 million credit line from Victory Park Capital. According to a January 2015 story at TechCrunch, that deal was one of the largest in the history of online lending services.
While Victory Park Capital is a private investment firm based in Chicago, Kreditech doesn’t appear to operate in the United States, nor in Germany where it is based. According to a cursory overview of the documents leaked online, the bulk of Kreditech’s customers/applicants are from Brazil, the Czech Republic, Dominican Republic, Mexico, Poland, Russia, Spain and Romania.
Update, Mar. 28, 9:40 a.m.: Kreditech’s lawyers sent me a letter (PDF) demanding an immediate correction on several aspects of the story. Mostly, the letter disagrees with statements made not by this author but by others quoted in the story. The company does dispute that any data from applicants in the Dominican Republic could have been compromised because the company did not start operations there until after the breach occurred. Kreditech also said it has not launched operations yet in Brazil or Romania.