‘Citygate Global’ Exposed Hundreds of Thousands of Customer Records

• A micro-financing organization in Nigeria has exposed 270 thousand sensitive customer records.
• The details include people’s credit card scores, transaction logs, full names, passwords, and more.
• The period of exposure was at least ten days, more than enough to be found and exfiltrated.

Citygate Global, a Nigeria-based microfinance institution that supports economic growth and empowers initiatives in the country, has failed to secure the “production” database of the app it launched (Monéé) last year. As a result, the details of all users of the app have been exposed, as 271,732 records were left prey to anyone with a web browser and a valid URL. The discovery comes from researcher J. Fowler, who is actively seeking this kind of exposures using specialized search engines.

The records that have been exposed include the following details:

• Customer names
• Account data
• Passwords
• Credit Card data
• IP addresses
• Ports
• Pathways
• Storage info

The app that was linked to this database offers loan and financial services, fund transfers, savings, investment, bill payment, and more, so this exposure opens up the potential for high-level phishing, scamming, and identity theft risks. It is unknown if the customers received a notification to warn them about the risks that arise from the security lapse, but it’s highly doubtful. The same goes for notifying the relevant authorities.

As for the second part of the exposed details, the entries that concern middleware and network information, this could potentially be exploited to infiltrate deeper into Citygate’s systems and access even more valuable details. This data should have been kept away from public access, and its exposure underlines the poor security practices followed by the firm’s IT team.

The researcher discovered this on March 3, 2021, and immediately notified Citygate of the issue. Having received no response from the company a week after that, he sent out a second notification. Public access to the database was eventually closed three days after the second notice, so there was a total of ten days of exposure at minimum. As the researcher points out, no one from Monééor or Citygate Global ever replied to his messages, bothering to provide any explanation or to thank him for the notice.

Back in the summer of 2019, we reported on a similar incident concerning millions of customers of Jana Bank, another “micro-financing” organization based in Bengaluru. If you are looking to get a small loan to support your business endeavors, beware of the dangers of data exposure, as many of these entities don’t pay the required attention to the security aspect of their operations.