Thousands of borrower data exposed by debt collection service ENCollect

An ElasticSearch server instance left open on the internet without a password contained sensitive financial information about loans from Indian and African financial services.

The leak, which was discovered by researchers from information security firm UpGuard, was 5.8 GB in size and consisted of a total of 1,686,363 records.

“These records included personal information such as name, loan amount, date of birth, account number, etc.,” UpGuard said in a report shared with The Hacker News. “A total of 48,043 unique email addresses were in the collection, some of which were for product administrators, corporate customers, and debt collectors assigned to each case.”

The exposed instance, used as data storage for a debt collection platform called ENCollect, was detected on February 16, 2022. The leaked server has since been made inaccessible to the public from February 28 following the Indian Computer Emergency Response Team response. team (CERT-In).

ENCollect is billed as the “World’s Best Collections App”, allowing debt collectors to track loan repayments, initiate legal action, and provide methods for managing delinquencies, settlements, and repossessions .

UpGuard said the loans came from lending services such as Lendingkart, IndiaLends, Shubh Loans (MyShubhLife), Centrum, Rosabo and Accion, with the leaked information also incorporating personal details associated with the borrowers.

Additionally, the dataset included 114,747 street addresses, 105,974 phone numbers, and 157,403 loan amounts. A subset of these records also revealed additional information such as contact information for co-applicants, family members and other personal references.

“Some of the records contained overdue amounts, loan type and term, and internal notes left by collection agency staff regarding loan repayments,” UpGuard said.

Although the misconfigured server has been secured, there are still chances that someone with malicious intent will use the information to target users for scams or extortion schemes and even impersonate loan collectors to target borrowers.

“The digitization of financial services offers many opportunities for efficiency in processes such as debt collection, but also creates unexpected risks in the supply chain,” the researchers said. “Vendor solutions also create the risk of multi-party exposures when their datasets come from multiple customers, as in this case.”