Unbanked lender Kreditech suffers insider data breach

Update 26/03/2015: since we published this blog post, Kreditech has provided a statement, which we have published directly under the original post

Brian Krebs reports that Kreditech, a German “consumer finance startup that specializes in lending to ‘unbanked’ consumers with little or no credit rating” has suffered a data breach, resulting in thousands of loan applicants’ personal and financial records – including scanned passports, drivers’ licenses, IDs and credit agreements – being posted on a site on the dark web accessible via Tor.

A group of hackers calling itself A4 put the stolen information online, writing: “The company, getting multimillion investments, probably decided to spend them for anything but security of their clients’ data. As explain by a member of A4, not that the company’s security is at a low level, it is absent as such. All data to which the group А4 got access will be put online in open access although its curb price is rather considerable.”

Kreditech spokesperson Anna Friedrich told Mr Krebs that the company suffered an “isolated internal security incident” last November, which she believed to have been the work of an employee. She declined to comment on whether the employee was still with the company, or whether their actions were malicious or accidental.

“There is no access to any customer data,” she said. “This incident stemmed from a form on our Web site that was stored data in a caching system that deleted data every few days. What happened was that a subset of application data was affected. We are collaborating with the police, but unfortunately there is no more further information that I have to share.”

Kreditech secured $200 million in funding from investment group Victory Park Capital in January – one of the largest investments in the history of online lending, according to TechCrunch.

Anna Friedrich of Kreditech has emailed me the following statement:

“(1) In the article you are quoting the “A4 group” claiming that Kreditech “invests in anything but the security of their clients”. This is incorrect. It is correct that:

“The security of our customers’ data has top priority for Kreditech. When we learned from the incident in summer (August) 2014 we involved the Hamburg state police and conducted intensive security tests involving external experts.

“They verified highest security standards and confirmed that the Kreditech system cannot be accessed from externally – not today and also not in the past. This led to the experts to conclude that an external hack had not occurred.

“(2) The article also states that not only applicant but also customer data was affected. This is incorrect. It is correct that:

Data affected stem from the caching system of our website. In the caching system only application data is temporarily saved, no data of existing customers is stored.”

IT Governance is more than happy to publish these comments.

ISO 27001

89% of respondents to Vormetric’s new Insider Threat Report “felt that their organization was now more at risk from an insider attack”. ISO 27001, the international standard for best-practice information security, sets out the requirements of an enterprise-wide ISMS that covers people, processes and technology. ISO 27001 staff training ensures that everyone in the organisation understands their security obligations, reducing its exposure to accidental breaches.

Accredited ISO 27001 certification demonstrates to your customers that you have implemented effective security processes based on international best practices, and regular auditing shows that you maintain the quality of your information security posture. As well as increasing organisational efficiency, the assurance that accredited certification provides helps you gain new business and retain existing customers.

IT Governance ISO 27001 Packaged Solutions

Thanks to IT Governance’s fixed-price ISO 27001 Packaged Solutions, EU organisations can take advantage of expert ISO 27001 consultancy to implement an ISO 27001-compliant ISMS for as little as €11,295.

With its unique combination of standards, books, toolkits, software, training, and online consultancy, IT Governance’s Get A Lot Of Help package provides EU organisations with all they need to implement the Standard and ensure the security of their information.

Click for more information >>

Leave a Reply

Your email address will not be published. Required fields are marked *