Extremely sensitive data from Banco Português de Gestão (BPG) has been leaked due to a misconfiguration in the systems of the bank’s service provider, Nearsoft. This breach could potentially lead to unauthorized money transfers and other malicious activities.
The Discovery
On May 2nd, the Cybernews research team uncovered a misconfiguration in Nearsoft’s systems, a company that provides digital banking and e-government solutions. This misconfiguration exposed highly sensitive financial data of BPG’s clients.
The Data Leaked
The leaked information included:
- Bank account numbers
- IBAN numbers
- Account balances
- KYC documents
- ID card numbers, including citizen ID numbers
- Email addresses
- Phone numbers
- Taxpayer numbers
- Names
- Places of employment
- Occupation
- Marital status
- Dates of birth
- Home addresses
- Answers to security questions
- Authentication secrets
- Internet banking session tokens
This data breach was caused by a missing authentication on Nearsoft’s Kibana dashboard, an online tool used for searching, visualizing, and analyzing stored data. According to researchers, this information has been accessible to anyone on the internet, including potential threat actors, since April.
Consequences of the Leak
The real-time update of this data poses a significant threat to bank users, making them vulnerable to various attacks such as:
- Identity theft
- Wire fraud
- Doxxing
- Financial profiling
- Spam and phishing campaigns
- Account hijacking and unauthorized money transfers
Response and Current Status
Cybernews contacted Nearsoft, leading to the securing of user data. However, an official comment from Nearsoft is still pending.
Broader Implications
This incident highlights the security risks associated with using third-party service providers. The open instance discovered by researchers impacted only Banco Português de Gestão, but Nearsoft’s client base includes numerous other financial institutions that could face similar risks.
Nearsoft clients include:
- Banco Português de Gestão
- First Capital Bank
- Caixa
- Fondation Ondjyla
- Banco Interatlântico
- dnoticias.pt
- Unitel
- Caixa Angola
- IMDM
- Região Autónoma de Madeira
- Horários de Funchal
- Seiva
- BancoKeve
- Bai Cabo Verde
In 2023, Cybernews also revealed a similar data leak at OCR Labs, a major provider of digital ID verification tools for financial institutions. This misconfiguration exposed sensitive credentials affecting six financial institutions: QBANK, Defence Bank, Bloom Money, Admiral Money, MA Money, and Reed.
This data leak serves as a stark reminder of the critical need for stringent security measures when using third-party services in the financial sector. Financial institutions must ensure their service providers comply with international security standards to protect sensitive client data from unauthorized access and potential exploitation.
Found this news interesting? Follow us on Twitter and Telegram to read more exclusive content we post.