vpnMentor’s research team, led by Noam Rotem, recently uncovered a breached database leaking a massive amount of sensitive financial documents online. More than 500,000 highly sensitive and private legal and financial documents were exposed, compromising numerous parties to the risk of fraud and theft.
According to the research team, the database appears to be linked to MCA Wizard, an iOS and Android app developed by two companies: Advantage Capital Funding and Argus Capital Funding. Launched in January 2018, the app is no longer available for download.
Based on their research, Advantage and Argus seem to be the same company under two different names, both based in New York, USA. For instance:
- They have similar company names
- Any description of MCA Wizard online includes the following: “Advantage and Argus Capital Funding work as a single united team with market-leading firms around the world and give our clients the highest quality advice possible.”
- Their websites share identical text in certain sections
- They share a CFO and other executive staff and physical address
The research team discovered the breached database on Amazon Web Services (AWS) in December 2019 and contacted AWS directly, and the breach was closed shortly after (January 09, 2020).
The database contained more than 500,000 documents, totaling 425GB of data. Within was a wide range of documents covering many aspects of Advantage and Argus’s businesses, finances, and dealings with other companies. The files the team viewed included but were not limited to:
- Credit reports
- Bank statements
- Legal paperwork
- Driver’s licenses
- Purchase orders and receipts
- Tax returns
- Transaction reports for credit cards and merchant bank accounts
- Scanned copies of bank checks
- Access information for bank accounts
- Corporate shares outline
- Social Security information
This leak raises serious credibility and trust issues for Advantage and Argus, notes the research team. "By not sufficiently securing this database and revealing so much information, they have compromised the safety, privacy, and security of their clients, partners, and customers," they add. In addition, this leak may draw the attention of US financial and data security regulators, as this could be a violation of the California Consumer Privacy Act.
For more information, visit the vpnMentor report.