Days after Schoolzilla breach, another data breach at an online futures trading brokerage was found out. It exposed thousands of files, including credit reports, passport scans, and customer chat logs.
Schoolzilla is a U.S.-based data warehouse which held personal information on more than a million American students (K-12). The breach reportedly contained a vast amount of test scores and social security numbers. The massive data breach was already fixed within 24 hours after Chris Vickery’s report.
Chris Vickery of the Kromtech Security Research Team is the internet’s data breach hunter. His job is to find a leak and expose the data before the bad guys do.
The trading firm was identified as AMP, a Chicago, Illinois based company that offers numerous platforms for online futures trading.
It was found out that the leak was caused by a misconfigured backup device managed by a third-party IT vendor.
According to Kromtech reports, the issue with the backup system is not uncommon; the breach is notable for the amount of money that passes through AMP’s systems. “The files indicate that AMP has over $50 million on the books and additionally include the private details of over 10,000 account applicants”.
About 70GB of data had been sitting on the open web, consisting of roughly 97,000 files, according Vickery’s report.
“It includes credit reports, passport scans, internal company emails, customer chat logs, and basically everything an identity thief would need in order to mount a serious campaign,” Vickery said. “I was surprised at the number of plaintext customer passwords discussed in the chat logs (by staff and customers alike).”
In most cases, the security researchers who reported such breaches are often being suspected by the companies whose data is at risk. But AMP responded comparatively well, according to Vickery:
“The head honcho over at AMP was surprised when I fully explained the situation to him over a phone call. He rightly wondered what AMP was paying its third-party IT company for. If a third party, which specializes in IT, can’t catch this kind of leakage themselves, there is some serious improvement to be done.
“AMP’s CEO was relieved to hear that I wasn’t trying to sell him anything or attempting any sort of blackmail or extortion, and I’m thankful he understood that I merely discovered the unsecured data rather than causing it to become unsecured. That’s a distinction many people fail to grasp, especially when their company is potentially in the hot seat.”
The AMP leak was already contained immediately and is now secured.
Sources: