Thousands of Australian Personal Details Discovered

share
Header image

Thousands of Australian Personal Details Discovered

share

Unclear how long the database was exposed before it was discovered.

Around 27,000 records have been discovered in a non-password-protected database.

Including driver’s licenses, medicaid cards, employment statements, and bank statements that contain account numbers and partial credit card numbers, the database and its internal files indicated they belonged to Australian Fintech company Vroom by YouX - formerly Drive IQ - according to researcher Jeremiah Fowler.

“Additionally, I saw an internal screenshot that showed the information of an additional MongoDB storage instance that contained 3.2 million documents,” he wrote in an article. “I did not review the MongoDB, and it is unknown for me if those files were accessible or secured, but there are numerous potential risks to exposing additional file storage locations, database names, and systems that are intended for internal use.” 

Fowler said he sent a responsible disclosure notice to Vroom, and the database was restricted from public access and no longer accessible shortly after. “Although the records belonged to Vroom by YouX, it is not known if the database was owned and managed directly by them or by a third-party contractor,” he said.

He said he was unsure how long the database was exposed before he discovered it, or if anyone else may have gained access to it.

A response from Vroom said: “We’ve identified and resolved the issue causing this vulnerability so thank you for bringing it to our attention. A post incident review will be conducted shortly so we can determine the communication plan and process improvements required.”
Written by
Dan Raywood
Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.

Data Breach Published: 27 March Written by
Dan Raywood
Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.

Upcoming Events

No events found.

Related content

Hijacked NHS Scotland domains push adult content

Hijacked NHS Scotland domains push adult content

 UK watchdog raises concerns over Jaguar Land Rover's cyber bailout

UK watchdog raises concerns over Jaguar Land Rover's cyber bailout

 Stryker dismisses malware use, data theft following cyberattack

Stryker dismisses malware use, data theft following cyberattack
Report: UK cyberattacks grow faster than global rate

Report: UK cyberattacks grow faster than global rate

 Toll of Transport for London hack reaches nearly 10M

Toll of Transport for London hack reaches nearly 10M

 Novel CyberStrikeAI tool exploited in attacks

Novel CyberStrikeAI tool exploited in attacks
Industry urges reform to retain women in tech

Industry urges reform to retain women in tech