Thousands of Driver’s Licenses, Bank Records, and PII Exposed in Australian Fintech Data Leak

Cybersecurity analyst Jeremiah Fowler has discovered an unprotected Amazon S3 database that wasn’t encrypted or password protected and contained some 27,000 records. The records included highly personal information such as driver’s licenses, Medicaid cards, work statements, and bank statements that held account numbers and partial credit card numbers.

The name of the database and the internal files names suggest that the database was owned by Australian fintech company Vroom by YouX (formerly Drive IQ).

In addition, Fowler discovered an internal screenshot that showed another instance of MongoDB storage with 3.2 million documents. However, he did not examine its content and could not determine whether such files existed or were securely locked. He emphasized the risks of exposing internal file storage locations, database names, and internal-use systems. “When cybercriminals know where internal data resides, it can become another attack vector or backdoor deeper into ...