#Privacy: Half a million private, legal and financial documents leaked online

An unsecured database has leaked over 500,000 highly sensitive documents leaving many at risk of fraud and theft. 

Security researchers at vpnMentor, led by Noam Rotem, discovered the database on an unsecured Amazon Web Services (AWS) S3 bucket on boxing day last year. 

The database appears to be linked to an iOS and Android app, MCA Wizard,  which is developed by two fintech companies Argus Capital Funding and Advantage Capital Funding. 

Upon research, vpnMentor found that both companies were the same but under two different names, and provide “merchant cash advances” (MCAs), a controversial financial instrument used to provide loans and credit advances to small business owners. 

The 425GB database contained a variety of documents including credit reports, bank statements, contracts, driver’s licenses, purchase orders and receipts, tax returns, legal paperwork, corporate shares outline and more. 

“These files didn’t just compromise the privacy and security of Advantage and Argus, but also the customers, clients, contractors, employees, and partners,” said vpnMentor.

With this much information exposed, threat actors could launch phishing campaigns, commit check and financial fraud, sell confidential files on underground forums, or even target companies with ransomware, spyware and other forms of online attack. 

“This leak raises serious credibility and trust issues for Advantage and Argus. By not sufficiently securing this database and revealing so much information, they have compromised the safety, privacy, and security of their clients, partners, and customers,” vpnMentor said. 

“Those affected may take action against Advantage and Argus for doing so, either from ceasing to do business with either company or possibly pursuing legal actions. Both would result in considerable loss of clients, contracts, business relationships, and ultimately, revenue.”

Shockingly, whilst researchers tried to contact the firms, new files were still being uploaded to the database. 

After numerous failed attempts to contact the companies, vpnMentor contacted AWS directly, and the database was closed shortly after. 


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.