A large amount of confidential data relating to two financial companies has been found exposed online in the latest case of a failure to secure a cloud-hosted database.

The exposure was discovered by security researchers at vpnMentor and publicized Tuesday. It’s believed to be linked to MCA Wizard, an iOS and Android app developed by Advantage Capital Funding and Argus Capital Funding.

The database was 425 gigabytes in size and included more than 500,000 highly sensitive documents such as private legal and financial files. Those files included credit reports, bank statements, legal documents, contracts, driver’s license copies, tax returns, purchase orders and receipts, Social Security information and more.

The security researchers attempted to reach out to both companies with no success in December before opting to contact cloud host Amazon Web Services Inc. Jan. 7. The database was finally taken offline Jan. 9.

“This is another unfortunate instance of an AWS bucket left open without any security protocols, leaving extremely sensitive legal and financial documents unprotected online — accessible to anyone worldwide,” James Carder, chief security officer and vice president of security intelligence company LogRhythm Inc., told SiliconANGLE. “In 2020, businesses are increasingly moving information to the cloud for cost efficiency, increased flexibility, and improved accessibility. However, it is important to understand the gravity of what it means to move this type of information to the cloud and be prepared to use everything at your disposal to protect it.”

Anurag Kahol, chief technology officer of cloud access security broker firm Bitglass Inc., noted that the leak could have been avoided by using data-centric security tools that ensure proper configuration of cloud services, deny unauthorized access, enforce real-time access control and the like. “Companies must deploy security solutions that provide the breadth and depth of capabilities needed in order to maintain complete visibility and control over data in the cloud,” he said.

Chris DeRamus, chief technology officer of cybersecurity company DivvyCloud Corp., said that it’s unclear how long the database was left open, and threat actors could have already accessed the personally identifiable information and shared it on dark web marketplaces for a quick profit.

“Especially for financial organizations that manage sensitive information and capital, a proactive approach to ensuring data is secure is necessary,” DeRamus said. “Automated cloud security solutions can detect misconfigurations in real-time and trigger instant remediation  so that vulnerabilities are identified and fixed within seconds and cloud resources remain secure.”

Image: MCA Wizard