Sensitive Details of Student Loan Applicants Leaked via Call Recordings
Last updated September 25, 2021
- Many thousands of student loan applicants were exposed via an unprotected S3 bucket.
- The leaked details include full names, social security numbers, addresses, phone numbers, and more.
- The data could now be sold on the dark web for up to $4.4 million, as it offers various types of precious details.
Security researchers have discovered yet another unsecured Amazon S3 server that belonged to the “Student Advocates Group.” This entity was characterized as fraudulent by FTC last year - who also took legal action against them. Now, the damage to the loan applicants became even worse than what they had to sustain by the scheme, as their sensitive details were contained in the unprotected database. A peculiarity that concerns this incident is that the database wasn’t only hosting listings of documents with user details, but also call recordings.
The leaking bucket contained the following files:
- 51,879 MP3 files (call recordings)
- 4,543 (call recordings)
- 25,000 PDFs (scans or photos of proof of income – tax returns)
Source: securityaffairs.co
The call recordings are the most catastrophic for the students, as the support agent begins by confirming the other person’s details. This includes the following things:
- full name
- social security number
- date of birth
- address
- phone number
In some cases, the call recordings also include the following information:
- credit card number, CVV and expiration date
- banking information (account and routing numbers)
- PIN numbers
- email addresses
- occupation and employer information
- total loan amount
- emergency contact names and relationships
These are extremely sensitive details that should have been treated with extra care, but unfortunately, they weren’t. The students who had no other choice than to trust the “Student Advocates Group” will now have to deal with the additional risks of identity theft, scamming, and extortion. Considering that these people were already in a dire financial position, the effects of this latest incident are magnified.
The researchers discovered the S3 bucket on April 29, 2020, but the loan agency didn’t respond to the warning messages. Thus, the researchers reached out to Amazon on May 7, 2020, and the database was eventually secured on May 26, 2020. So, the data was accessible for approximately a full month, which should be more than enough for malicious actors to locate it and download everything. Considering that there are about 56,500 social security numbers there, selling this data would make the actors between $275,000 and $4.4 million.
As for whether your personal details are included in the leaked data or not, the timestamps of the datasets range between early- to mid-2018 and January 21, 2020. If you have spoken with an agent of the Student Advocates Group, the Progress Advocates Group, the Assurance Solution Services, or the Equitable Acceptance Corporation (all under the same umbrella) for the approval of a loan application consider yourself exp
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular