Extremely sensitive data from Banco Português de Gestão (BPG) has been leaked due to a misconfiguration in the systems of the bank’s service provider, Nearsoft. This breach could potentially lead to unauthorized money transfers and other malicious activities.

The Discovery

On May 2nd, the Cybernews research team uncovered a misconfiguration in Nearsoft’s systems, a company that provides digital banking and e-government solutions. This misconfiguration exposed highly sensitive financial data of BPG’s clients.

The Data Leaked

The leaked information included:

  • Bank account numbers
  • IBAN numbers
  • Account balances
  • KYC documents
  • ID card numbers, including citizen ID numbers
  • Email addresses
  • Phone numbers
  • Taxpayer numbers
  • Names
  • Places of employment
  • Occupation
  • Marital status
  • Dates of birth
  • Home addresses
  • Answers to security questions
  • Authentication secrets
  • Internet banking session tokens

This data breach was caused by a missing authentication on Nearsoft’s Kibana dashboard, an online tool used for searching, visualizing, and analyzing stored data. According to researchers, this information has been accessible to anyone on the internet, including potential threat actors, since April.

Banco Portugues de Gestao
KYC documents sent by email – base64 encoded PDF
KYC document decoded from base64
KYC document decoded from base64
KYC document decoded from base64
KYC document decoded from base64
Account onboarding information, including email, phone number, Citizen ID, Name
Account onboarding information, including email, phone number, Citizen ID, Name
Authentication tokens, Account balances
Authentication tokens, Account balances
Banco Portugues de Gestao
Internet Banking session token, private customer information, customer manager information, and answers to security questions.

Consequences of the Leak

The real-time update of this data poses a significant threat to bank users, making them vulnerable to various attacks such as:

  • Identity theft
  • Wire fraud
  • Doxxing
  • Financial profiling
  • Spam and phishing campaigns
  • Account hijacking and unauthorized money transfers

Response and Current Status

Cybernews contacted Nearsoft, leading to the securing of user data. However, an official comment from Nearsoft is still pending.

Broader Implications

This incident highlights the security risks associated with using third-party service providers. The open instance discovered by researchers impacted only Banco Português de Gestão, but Nearsoft’s client base includes numerous other financial institutions that could face similar risks.

Nearsoft clients include:

  • Banco Português de Gestão
  • First Capital Bank
  • Caixa
  • Fondation Ondjyla
  • Banco Interatlântico
  • dnoticias.pt
  • Unitel
  • Caixa Angola
  • IMDM
  • Região Autónoma de Madeira
  • Horários de Funchal
  • Seiva
  • BancoKeve
  • Bai Cabo Verde

In 2023, Cybernews also revealed a similar data leak at OCR Labs, a major provider of digital ID verification tools for financial institutions. This misconfiguration exposed sensitive credentials affecting six financial institutions: QBANK, Defence Bank, Bloom Money, Admiral Money, MA Money, and Reed.

This data leak serves as a stark reminder of the critical need for stringent security measures when using third-party services in the financial sector. Financial institutions must ensure their service providers comply with international security standards to protect sensitive client data from unauthorized access and potential exploitation.

Found this news interesting? Follow us on Twitter  and Telegram to read more exclusive content we post.


Leave a Reply

Your email address will not be published. Required fields are marked *