The popular security expert Chris Vickery has discovered a new data breach that affected the AMP online trading firm that exposed thousands of files, including credit reports, passport scans, and customer chat logs. This specific incident is notable for the amount of money that passes through AMP’s systems.
“I’ve come across several finance-related data breaches within the past few weeks, most recently involving the AMP Futures trading platform.” wrote the expert in a blog post.
“While the exact nature of the leak is nothing new, a third-party IT vendor’s unsecured rsync backup device, the amount of money involved is on the large side. The files indicate that AMP has over $50 million on the books and additionally include the private details of over 10,000 account applicants.”
The data leak discovered by Vickery was caused by a misconfigured backup device managed by a third-party IT vendor, it was now fixed. Such kind of incidents are unfortunately very common, Vickery has discovered similar data leaks online.
AMP is a Chicago-firm based firm that operates many platforms for online futures trading.
Vickery discovered a 70GB dump exposed on the web containing roughly 97,000 files.
“The portion I downloaded comes to about 70 gigs and represents 97,000 different files. It includes credit reports, passport scans, internal company emails, customer chat logs, and basically everything an identity thief would need in order to mount a serious campaign.” Vickery added. “I was surprised at the number of plaintext customer passwords discussed in the chat logs (by staff and customers alike).”
Vickery explained that AMP representatives were surprised when he reported the data leak.
“The head honcho over at AMP was surprised when I fully explained the situation to him over a phone call. He rightly wondered what AMP was paying its third-party IT company for. If a third party, which specializes in IT, can’t catch this kind of leakage themselves, there is some serious improvement to be done.” Vickery explained.
“AMP’s CEO was relieved to hear that I wasn’t trying to sell him anything or attempting any sort of blackmail or extortion, and I’m thankful he understood that I merely discovered the unsecured data rather than causing it to become unsecured. That’s a distinction many people fail to grasp, especially when their company is potentially in the hot seat.”
Chris Vickery discovered many other clamorous cases of open database exposed on the Internet.
In December 2015 the security expert discovered 191 million records belonging to US voters online, in April 2016 he also discovered a 132 GB MongoDB database open online and containing 93.4 million Mexican voter records.
In March 2016, Chris Vickery has discovered online the database of the Kinoptic iOS app, which was abandoned by developers, with details of over 198,000 users.
In January 2017, the expert discovered online an open Rsync server hosting the personal details for at least 200,000 IndyCar racing fans.
A few days ago, Vickery’s disclosed a massive data breach at a U.S.-based data warehouse, Schoolzilla, which held personal information on more than a million American students (K-12).
(Security Affairs – Data Leak, AMP)