Data Leak Strikes Latin America’s Financial Institutions: Fintech App at the Center
Sensitive customer data exposed due to security misconfiguration, affecting thousands across Latin America.
Introduction:
A significant data breach has compromised the personal information of nearly 135,000 clients from various financial institutions in Latin America. The leak, linked to the fintech platform Bankingly, exposed sensitive information from customers in several countries, with the Dominican Republic being the most affected. This incident highlights the risks associated with third-party service providers and underscores the growing need for stronger data security measures in the digital banking sector.
Data Breach Uncovered
On May 24, the Cybernews research team identified a misconfiguration in seven Azure Blob Storage buckets, which were left without proper authentication. This oversight exposed the personal data of nearly 135,000 clients across Latin America, making their information accessible to anyone online. Countries affected by this breach include the Dominican Republic, Mexico, Ecuador, El Salvador, Bolivia, and Costa Rica, with almost 100,000 of the affected individuals coming from the Dominican Republic.
Bankingly, a fintech platform offering digital services to financial institutions in Latin America, was found to be at the center of this leak. The Uruguay-based company primarily caters to small and medium-sized financial entities such as banks, credit unions, and microfinance institutions, especially in rural areas. It is believed that Bankingly used these unsecured storage buckets to hold personal customer data, including full names, usernames, emails, phone numbers, and work contacts.
Institutions Affected
The financial institutions impacted by the data breach include:
- La Cooperativa de Ahorro y Crédito Abierta “San Martín de Porres” (COSMART)
- Asociación La Nacional de Ahorros y Préstamos (ALNAP)
- Caja Buenos Aires
- Caja Mitras
- Coac Puellaro
- Credecoop
- AMC
Risks to Affected Individuals
Although the exposed data does not include highly sensitive information like government-issued IDs or credit card numbers, the breach still puts individuals at risk of phishing and social engineering attacks. According to Cybernews researchers, threat actors could use the leaked data to craft convincing emails or phone calls, impersonating financial institutions to extract further personal information or login credentials from victims.
Another concern is the possibility of credential stuffing attacks. If individuals reuse passwords across platforms, attackers could exploit the exposed usernames or email addresses, combined with information from previous breaches, to gain unauthorized access to accounts.
Response and Security Measures
Since the discovery of the breach, Cybernews has contacted Bankingly, and the exposed data in the storage buckets has been secured. However, Bankingly has not issued an official response, and the affected financial institutions have yet to comment on the matter.
Lessons on Third-Party Risks
This breach serves as a stark reminder of the dangers posed by third-party service providers, which can become entry points for cybercriminals targeting financial institutions. Bankingly is not the first fintech platform to experience such a misconfiguration. In May 2024, Cybernews uncovered a similar vulnerability at Nearsoft, a digital banking solutions provider. Their security lapse exposed sensitive financial data from Banco Portugues de Gestao. In 2023, a breach at OCR Labs, a digital ID verification provider, impacted six financial institutions, further highlighting the widespread risk in this space.
Conclusion:
The Bankingly data leak has cast a spotlight on the vulnerability of Latin America’s financial institutions to third-party providers. While no direct financial harm has been reported yet, the potential for phishing and other cyberattacks remains high. As digital banking continues to grow, financial institutions must prioritize data security and ensure that their service providers follow stringent security protocols to prevent future breaches.
