Micro-loan startup Kreditech is investigating a November 2014 data breach that resulted in hackers posting the personal and financial records of thousands of applicants online, Krebs on Security reported on Tuesday (March 24).
A spokesperson for Kreditech confirmed the breach, which she called an “isolated internal security incident,” and said that it only affected applicants.
“There is no access to any customer data,” Kreditech head of communications Anna Friedrich said. “This incident stemmed from a form on our website that was stored data in a caching system that deleted data every few days. What happened was that a subset of application data was affected. We are collaborating with the police, but unfortunately there is no more further information that I have to share.”
Friedrich added that Kreditech believes the data was leaked by an insider at the company, but didn’t say whether the suspect was a current or former employee.
The applicant data posted on a website by a hacker group calling itself “A4” included links to loan documents, scanned passports, driver’s licenses, national IDs and credit agreements that appear to have come from Kreditech’s servers.
Statements on the site also claimed that the hackers found hundreds of gigabytes of Kreditech documents. “The company, getting multimillion investments, probably decided to spend them for anything but security of their clients’ data,” the statements said. “As explain[ed] by a member of A4, not that the company’s security is at a low level, it is absent as such. All data to which the group А4 got access will be put online in open access although its curb price is rather considerable.”
The group didn’t say how or when it acquired the documents, but a system log from a MongoDB document database included in the cache is date-stamped Aug. 19, 2014.
Kreditech, which is based in Hamburg, Germany, has raised $63 million from investors since 2012, as well as $200 million earmarked for making loans that range from $80 to $4,000. The company vets credit applications using up to 20,000 data points, ranging from traditional data scoring to social media, and makes loans in Poland, Spain, Russia, the Czech Republic, Mexico, Australia, Peru, the Dominican Republic and Kazakhstan.