Noam Rotem, a researcher for vpnMentor, recently made a startling discovery. A database connected to a now-defunct app called MCA Wizard was found unsecured on the web. It contained a staggering 425 GB of sensitive corporate financial data.
The app, developed via a partnership between Argus Capital Funding and Advantage Capital Funding, is no longer available on the Apple or Google Play stores.
When it was available for download, however, it served as an MCA (Merchant Cast Advance), designed to provide businesses with short term loans based on their projected credit card-based sales.
The database contained more than half a million highly sensitive documents originating from Argus and Advantage and belong to a wide range of the clients of the two companies. Among other things, the documents include bank statements, credit reports, copies of driver’s licenses, tax returns, social security information, and much more.
In recent years, vpnMentor’s mapping project has unearthed several databases similar to the one most recently discovered, but none have been quite so large or potentially damaging. The company attempted to reach out to both Argus and Advantage, but the emails they sent to inform the companies about the database bounced back as undeliverable.
Some days after making the attempt to contact the two companies, the database was pulled offline, so clearly someone was watching. Although to date, all attempts to contact the two companies have failed.
While it’s fantastic news that the database is now offline, the sensitive nature of the files it contained could have ruinous consequences for the businesses and individuals identified in those documents. There are more than enough details in the files to allow hackers to steal the identities of thousands of wealthy individuals and forge credentials in the name of hundreds of legitimate businesses.
Kudos to Noam Rotem and the folks at vpnMentor. If you do or have done business with Argus or Advantage, know that some of your company’s sensitive information may have been compromised.