UK money transfer service ‘leaks private data and passport scans’ of 11,000 customers
A London-based money transfer service called KS Enterprises Limited reportedly left the personal information of more than 11,000 customers online without adequate password protection earlier this month, a security firm has revealed this week (Thursday 27 July).
According to Kromtech Security Research Centre, a division of Germany-based MacKeeper, the data included passport scans and proof-of-address documents such as tax bills, loan records and driving licenses. A number of internal company files were also included, researchers said.
The files were discovered on a publicly-available Amazon Web Services cloud server and had clear links to KS Enterprises Limited, a UK-based business that has been operational since 2002 and specialises in sending direct money transfers to Bangladesh.
“The data was […] hosted under company domain abbreviation name ‘ksel’ and contained sensitive and personal information that could be used by criminals for fraudulent activities,” wrote Kromtech’s chief communication officer Bob Diachenko in a blog post.
The team discovered the unprotected AWS database in early July and sent email notifications to the company twice, to little response. While it remains unclear how long the data was in-the-wild, Kromtech said the leak had been plugged.
“Nobody responded on notification emails, so we called them,” Diachenko said.
“We made clear how serious the leaky [AWS server] was but they said they couldn’t do anything about it until ‘the boss’ was back. Even now we don’t have official statement from them to include but, most importantly, the repository has now been secured.”
“The risk of having […] public access is huge as anybody with an internet connection can view and download the data via browser – with no special skills at all. We see so many manually set to public access and even Amazon has started to send out notification emails to those owners.”
According to its website, KS Enterprises Limited was established to “provide money transfer services to the estimated 600,000 Bangladeshi people living in the UK”. Kromtech researchers said the business had helped to facilitate 3.5 million transactions last year.
“The breach is highly sensitive and with passport scans, banking info, and more it is very high risk that could adversely affect customers’ privacy,” commented Alex Kernishniuk, vice president of strategic alliances at Kromtech, in the blog post.
“The danger of having publicly accessible AWS buckets is huge for any businesses, small or large, so it is important for anybody working with digital assets to follow simple cyber hygiene rules”.
KS Enterprises Limited did not immediately respond to request for comment.
A spokesperson with the UK data breach watchdog, the Information Commissioner’s Office (ICO) said: “Organisations have a duty to keep people’s personal data safe. We have been made aware of an incident involving KS Enterprises and are making enquiries.”