Kreditech, a consumer finance startup that specializes in lending to “unbanked” consumers with little or no credit rating, is investigating a data breach that came to light after malicious hackers posted thousands of applicants’ personal and financial records online (according to KrebsOnSecurity).
A source pointed KrebsOnSecurity to a Web site reachable only via Tor, a software package that directs Internet traffic through a free, global network of relays. That page, pictured in screen shot to the right, included links to countless documents, scanned passports, drivers licenses, national IDs and credit agreements apparently taken from Kreditech’s servers.
The site announced that a group of hackers calling itself “A4″ put the information online after finding “hundreds of gigabytes” of Kreditech’s documents, including what appear to be configuration files from the company’s Intranet and internal servers.
Anna Friedrich, head of communications at the Hamburg, Germany-based lender, acknowledged that the company had an “isolated internal security incident” in November 2014, and that Hamburg police are investigating.
Friedrich said Kreditech believes the data was stolen not from customers but only from credit applicants. She added that Kreditech believes the information was leaked from within by someone who worked at the company — although she declined to say whether the suspect was a current or former employee.
According to KrebsOnSecurity Kreditech’s lawyers sent a letter (PDF) demanding an immediate correction on several aspects of the story. Mostly, the letter disagrees with statements made
not by this author but by others quoted in the story. The company does dispute that any data from applicants in the Dominican Republic could have been compromised because the company did not start operations there until after the breach occurred. Kreditech also said it has not launched operations yet in Brazil or Romania.
To read the full story on KrebsOnSecurity click on this link