A new cybersecurity failure was released by a business in Colombia. Data from customers who requested loans from the warehouse Alkobuy were exposed through a link without any restrictions.
according to the blog MuchHackerin a section of the website from where clients can request loans, more than 50,000 documents were found with private information of about 15,000 people.
The finding was made by a user in Twitterwho contacted the site to alert them to the situation, since it was not a cyberattack, but a security flaw in the platform and it is not known since when it has been occurring.
It may interest you: How long does it take a cybercriminal to guess my email or network password?
The information that was exposed
This store offers its customers a loan option to buy the products it sells there, for which the person must complete a procedure with the store, providing personal information and signing agreements to legalize the debt, payments and so on.
The request is made in the store or online through the establishment’s own platform, which is the one that presents the vulnerability, since anyone can access this information.
The investigation found data such as identification numbers, contracts for the loan agreement and photographs of the clients, which are part of the legalization process. All this condensed in a free access PDF document.
In the contracts found there was more personal information, because they are forms where people put their email address, date of birth, city of residence, telephone numbers, economic activity, type of contract, company where they work, position, monthly income and expenses.
But in addition to the clients, the information of the company’s analysts is also exposed with the hours of entry and exit from their work, with a summary of the hours worked, work breaks, lunch breaks, among others.
In total, the website gives access to more than 30,000 personal data, including photographs, work logs and client details. These could be used to enter the profile of each one and learn more about the loan with the store or take advantage of them for other crimes outside the platform.
The business assured that it is investigating the situation, to take the necessary measures and correct the failure, in addition to informing the competent authorities to find those responsible for the vulnerability.
Alkomprar told TechMarkup:
“From the moment the notification was received, the company carried out the respective analysis of the situation, taking the necessary corrective measures. To date, the information and data are secure and are not of a public nature”.
It may interest you: Those who have Windows 7 and Windows 8 will be vulnerable to cyberattacks
Another case in Colombia
This is the second case of this type that is known in the country so far in 2023. A ruling was also filed recently with keraltithe company that owns the EPS Sanitaswhich presents a vulnerability with the data of its users, leaving them free on the internet without any protection.
It is enough to enter the link, which for the safety of those affected we do not share, to access the entire content package, which belongs to the documentation that people must deliver to the health entity to join the health institution.
The type of files stored are scanned citizenship cards and civil records, affiliation forms and work contracts, all in high image quality, since they are needed for the company’s internal procedures.
Bob Diachenko was the analyst who discovered this failure and found a total of 999,941 documents displayed, but the figure could be higher, taking into account that sanitas has 4.74 million affiliates in Colombia since the Keralty Group handles many more entities like Colsanitas, Medisanitas and Sanitas University Foundation.