‘Citygate Global’ Exposed Hundreds of Thousands of Customer Records

  • A micro-financing organization in Nigeria has exposed 270 thousand sensitive customer records.
  • The details include people’s credit card scores, transaction logs, full names, passwords, and more.
  • The period of exposure was at least ten days, more than enough to be found and exfiltrated.

Citygate Global, a Nigeria-based microfinance institution that supports economic growth and empowers initiatives in the country, has failed to secure the “production” database of the app it launched (Monéé) last year. As a result, the details of all users of the app have been exposed, as 271,732 records were left prey to anyone with a web browser and a valid URL. The discovery comes from researcher J. Fowler, who is actively seeking this kind of exposures using specialized search engines.

The records that have been exposed include the following details:

  • Customer names
  • Account data
  • Passwords
  • Credit Card data
  • IP addresses
  • Ports
  • Pathways
  • Storage info
Source: Security Discovery
Source: Security Discovery

The app that was linked to this database offers loan and financial services, fund transfers, savings, investment, bill payment, and more, so this exposure opens up the potential for high-level phishing, scamming, and identity theft risks. It is unknown if the customers received a notification to warn them about the risks that arise from the security lapse, but it’s highly doubtful. The same goes for notifying the relevant authorities.

As for the second part of the exposed details, the entries that concern middleware and network information, this could potentially be exploited to infiltrate deeper into Citygate’s systems and access even more valuable details. This data should have been kept away from public access, and its exposure underlines the poor security practices followed by the firm’s IT team.

The researcher discovered this on March 3, 2021, and immediately notified Citygate of the issue. Having received no response from the company a week after that, he sent out a second notification. Public access to the database was eventually closed three days after the second notice, so there was a total of ten days of exposure at minimum. As the researcher points out, no one from Monééor or Citygate Global ever replied to his messages, bothering to provide any explanation or to thank him for the notice.

Back in the summer of 2019, we reported on a similar incident concerning millions of customers of Jana Bank, another “micro-financing” organization based in Bengaluru. If you are looking to get a small loan to support your business endeavors, beware of the dangers of data exposure, as many of these entities don’t pay the required attention to the security aspect of their operations.

How to Watch Irreverent Online From Anywhere: Stream the 2022 Colin Donnell and P. J. Byrne Drama Mini-Series
Irreverent is an Australian drama television miniseries that will premiere soon, and we have all the information you may need on this topic,...
How to Watch Christmas in Rockefeller Center 2022 Online From Anywhere: Stream the 90th Christmas Tree Lighting Ceremony
Rockefeller Center will celebrate its 90th Christmas Tree Lighting Ceremony very soon, and the best thing is that you will be able...
Poland vs. Argentina Live Stream: How to Watch World Cup 2022 Group C Match Online
Group C of the 2022 FIFA World Cup is nearing its conclusion, and the two rounds of 16 spots are still very...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari