An Amazon S3 storage instance containing sensitive personal and financial records was found publicly accessible without password protection or encryption.
The database, linked to Australian fintech company Vroom by YouX (formerly Drive IQ), contained approximately 27,000 records, including driver’s licenses, Medicaid cards, employment statements, and bank statements featuring account numbers and partial credit card details.
A security researcher discovered the exposed database and found an internal screenshot referencing an additional MongoDB storage instance with 3.2 million documents. However, it is unclear if those records were publicly accessible. The researcher promptly notified Vroom, and the database was restricted from public access shortly after. It is unknown how long the database was exposed or if unauthorized access occurred. A forensic audit would be necessary to confirm potential breaches.
Vroom by YouX acknowledged the issue, stating that it had resolved the vulnerability and would conduct a post-incident review. The fintech industry is a frequent target for cybercriminals, with a 2024 Sophos report showing that 65% of financial organizations have faced ransomware attacks. Exposed identity documents, such as driver’s licenses and bank statements, pose serious risks, including identity theft, fraudulent loans, and social engineering scams.
Partial credit card numbers were also found in .json files. While not complete, criminals can cross-reference these details with other data breaches to reconstruct full account numbers or use phishing tactics to obtain missing information. To prevent such risks, fintech companies must implement robust security measures, including encryption, strict access controls, multi-factor authentication (MFA), regular security audits, and real-time monitoring for suspicious activity. Data minimization policies should also be followed to store only necessary information and securely delete outdated records.
