March 24, 2015

Kreditech, a consumer finance startup that specializes in lending to “unbanked” consumers with little or no credit rating, is investigating a data breach that came to light after malicious hackers posted thousands of applicants’ personal and financial records online.

A screen shot of the Tor site that links to the documents stolen from Kreditech.

A screen shot of the Tor site that links to the documents stolen from Kreditech.

Earlier this month, a source pointed KrebsOnSecurity to a Web site reachable only via Tor, a software package that directs Internet traffic through a free, global network of relays. That page, pictured in screen shot to the right, included links to countless documents, scanned passports, drivers licenses, national IDs and credit agreements apparently taken from Kreditech’s servers.

The site announced that a group of hackers calling itself “A4” put the information online after finding “hundreds of gigabytes” of Kreditech’s documents, including what appear to be configuration files from the company’s Intranet and internal servers.

“The company, getting multimillion investments, probably decided to spend them for anything but security of their clients’ data,” the hacker group wrote. “As explain by a member of A4, not that the company’s security is at a low level, it is absent as such.All data to which the group А4 got access will be put online in open access although its curb price is rather considerable.”

Anna Friedrich, head of communications at the Hamburg, Germany-based lender, acknowledged that the company had an “isolated internal security incident” in November 2014, and that Hamburg police are investigating.

Friedrich said Kreditech believes the data was stolen not from customers but only from credit applicants. She added that Kreditech believes the information was leaked from within by someone who worked at the company — although she declined to say whether the suspect was a current or former employee.

“There is no access to any customer data,” Friedrich said. “This incident stemmed from a form on our Web site that was stored data in a caching system that deleted data every few days. What happened was that a subset of application data was affected. We are collaborating with the police, but unfortunately there is no more further information that I have to share. ”

Corey Wells, the 19-year-old security researcher from West Virginia who alerted this author to the compromise, said he discovered the breach after building a crawler to identify and index Web sites on the Tor network.

The hacker group didn’t say how it obtained the documents. Wells said the leaked data includes raw logs from a system that appears to have been running MongoDB, a cross-platform document-oriented database. Those logs include a date and time stamp of Aug. 19. 2014, suggesting the breach may have started seven months ago.

Wells said he doesn’t buy Kreditech’s version of events, and that files leaked from the company and posted for download from the Tor Web site suggest at least some were from existing customers.

“There are bank sums, amounts that are in the transaction and the amount left in the accounts,” Wells said. “Some of these look like people who already have accounts with them.”

Unlike traditional lenders, which rely heavily the applicant’s payment and credit history, Kreditech is one of several lenders tapping into social networking data to determine the risk of lending to people who have a tough time getting credit. Kreditech says it uses up to 15,000 data points when assessing an application for a loan.

The company recently secured some credit of its own, receiving a $200 million credit line from Victory Park Capital. According to a January 2015 story at TechCrunch, that deal was one of the largest in the history of online lending services.

While Victory Park Capital is a private investment firm based in Chicago, Kreditech doesn’t appear to operate in the United States, nor in Germany where it is based. According to a cursory overview of the documents leaked online, the bulk of Kreditech’s customers/applicants are from Brazil, the Czech Republic, Dominican Republic, Mexico, Poland, Russia, Spain and Romania.

Update, Mar. 28, 9:40 a.m.: Kreditech’s lawyers sent me a letter (PDF) demanding an immediate correction on several aspects of the story. Mostly, the letter disagrees with statements made not by this author but by others quoted in the story. The company does dispute that any data from applicants in the Dominican Republic could have been compromised because the company did not start operations there until after the breach occurred. Kreditech also said it has not launched operations yet in Brazil or Romania.

22 thoughts on “Kreditech Investigates Insider Breach

  1. JCitizen

    It is a sad thing the the world’s people who need the most help, are victimized by the devil’s own! 🙁

  2. Rick Blaine

    Hamburg police are on to this…we shouldn’t be concerned. What a relief !

  3. Martin

    So the leaked files on Tor website were found before or after Cory Wells found the vulnerability?

  4. Donald J Trump

    Why isn’t Interpol involved in this verses the Hamburg police?

  5. Travis

    “This incident stemmed from a form on our Web site that was stored data in a caching system that deleted data every few days. What happened was that a subset of application data was affected.”

    #facepalm The hackers were right, no security as such. Get it that badly wrong in one place……

    1. nov

      “She added that Kreditech believes the information was leaked from within by someone who worked at the company.”

      There’s also management/owners running this vulnerable company (yet another one)–another example of “clueless” management/owners.

  6. NotMe

    The breach reporting is a bit confusing when it comes to the Euro zone, and since they did not do business in Germany the reporting is different. You always report to the local police, just as in the states, Interpol may be involved, they don’t have to tell us. Just like the FBI, they don’t have to tell us.

    This may not have made the news if it were not reported here.

    Ir probably won’t make the news in the countries whose citizens were affected.

    Nice story, Thanks Brian and thanks to Cory Wells.
    Wish there were more Cory Wells out there.

  7. Robert P. Burke

    In the US, The “president” allowed the underworld to take over sites with banner and clip ads, including, State of NH web site.

    “He” was informed!

    1. SeymourB

      The president of the united states runs the state of new hampshire website?

      Wouldn’t, I dunno, the state of new hampshire run the state of new hampshire website?

      Dammit, I stubbed my big toe! Thanks Obama!

  8. Antonio Censi

    They say that started operation in Brazil in 2015.

    If the data are from Brazilians, the breacher must be more recent than Nov 2014.

  9. Rick

    Brian do you support the use of TOR?

    Kind Regards

    1. Mark

      Tor is used for good and bad things. You might as well ask him if he supports the use of money ^_^

    2. BrianKrebs Post author

      Sure, why not? I use Tor all the time. It’s become far more usable over the past few years, and quite a bit faster and more reliable.

  10. CJ

    Multiple problems
    1 internal breach
    2 insecure web site
    3 clueless security people
    4 clueless database people
    5 clueless developers
    6 ???

  11. Sotiris

    I’m truly sorry for the folks that had their identity information exposed and our probably in a worse situation then before having applied or received credit.
    Justice can only be served if governments got off their ass and criminalized the behavior of these hipsters and other who don’t view IT security seriously. My gut feeling is that if we researched the expenditures of this company we would find out that security was in the last place. This situation should be defined as criminal for any organization that deals with identify information. It’s interesting to note that the company is based in Germany but does business in the US and primarily with non-US clients. It would seem this is a great way of circumnavigating any existing regulations on IT Security.

  12. lilu

    The database was accessible from the outside
    No protection or password nebilo found
    I downloaded it twice with an interval of 6 months, and no one noticed

    Company idlers and criminals 🙂

    p.s. thanks Brian

  13. town

    Thank you, Brian 🙂

    These idiots have placed the base data without password protection
    I downloaded it twice, with an interval of 6 months, and they did not notice

    I did not have free time , what would break down their kreditech network, where there are so many errors

Comments are closed.