Credia.ge, a Georgia based agency, has exposed thousands of its customers personal and loan information.
Security researcher, Bob Diachenko, identified the Elasticsearch cluster on August 3rd. However it was discovered through a Shodan search that the cluster had been first indexed back in September 2018.
The database in question was named “compromised” in Shodan search and contained a total of 142, 571 user records, which included the following information; usernames, full addresses, DOBs, passport numbers, emails, loan amounts, tax ID codes, IBAN bank numbers and more.
“Loan collection contained 12,416 records, with similar data – however, each line appears to be unique in that one. Application collection had 229,474 records, with additional details on loans and deny reason and deny methods,” wrote Diachenko.
A Readme note was also found with a ransom demand of 0.1 BTC.
Diachenko sent a responsible disclosure alert to the organisation, however the company did not respond. As a result the Georgian CERT authority were contacted, and the database was pulled offline on the same day.
“It is unknown, whether somebody else has accessed the data while it was set to public (since last year, obviously), but the chances are high that this information had been exfiltrated at some point.”
It is worth acknowledging that the company started liquidation in June 2019.
Diachenko has stressed on multiple occasions the dangers of having an exposed Elasticsearch or similar NoSql database. It allows for cybercriminals to install malware or ransomware, and subsequently allowing them to manage the whole system.
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.