We discovered that transaction logs and personal identification were stored in an insecure manner. We notified Grink, and they closed the breach as swiftly as possible.
Several Thousand Switch Financial Transactions Exposed
These logs have details about financial transactions, including names, email addresses, and amounts. We also found documents that appear to be used by Switch to verify its users.
Subsequently, this breach revealed messages between users in the comments field, tied to each user by name. We found that a total of 4,765 Switch users were affected, and 127 verified users had their documents exposed.
Driver’s Licenses of Verified Users Leaked
The documents that Grink accidentally published include driver’s licenses and passports belonging to individuals in the United States.
The leaked images above are samples of high-resolution photos of ID cards that are required by some fintech apps to verify their users. Such sensitive data should always be encrypted if it’s retained at all.
Timeline of the Breach
Our security team has outlined a specific timeline ranging from breach discovery to the closing of the breach by Grink. Our VPNOverview security team notified Grink of the issue, which resulted in them securing the exposed files. The following is a timeline of the process: Note: Grink updated their bucket security 22 days after we notified them of the breach.
Stolen Documents Are a Cybercriminal Favorite
Some forms of PII have more value to cybercriminals than others in identity theft operations. Sensitive documents, like driver’s licenses and passports, can be used to commit fraud. Statistically, email addresses and account passwords are less valuable to cybercriminals because they do not always provide immediate ROI (Return on Investment) like the former. Albeit, email addresses can be used in many ways to conduct a very common form of social engineering cybercrime known as phishing. For example, during the peak moments of the pandemic, cybercriminals used compromised driver’s licenses to steal unemployment benefits. These documents can also be used to cash a check, verify a criminal’s identity when boarding a plane, or open bank accounts. Furthermore, driver’s licenses are highly valued on the dark web, selling for between $20 and $80 each, as opposed to passwords which go for about a dollar.
What You Can Do to Protect Your Driver’s License and Your Personal Information
If you have confirmed that your driver’s license was stolen or compromised in this Switch Fintech breach or otherwise, you should always report it to the relevant authorities. It is important to note that different countries deal with online fraud in different ways. In the United States, for example, you can arrange an identity theft protection with the Federal Trade Commission (FTC), which will alert you of your information appearing for sale on the internet. You can set this up through the FTC’s identity theft portal. You should also check your credit reports and bank statements for signs of fraud and unauthorized transactions. You could also look into ordering yearly credit reports for free which you can review once a year for signs of another account being opened in your name. It is also possible to freeze your credit files for free with services such as Equifax, TransUnion, Innovis, the National Consumer Telecommunications and Utilities Exchange. Credit freezes prevent cybercriminals from opening credit and utility accounts in your name. It would also be a good idea to set up account security with your bank to alert you of accounts set up in your name. Multi-factor authentication across your devices will also help by preventing criminals from logging in to your accounts. Cybercriminals don’t have to directly breach your data to exploit your personal information. Often, it is enough for someone to have a photograph of your personal documents. Over the years, millions of U.S. driver’s licenses have been compromised in breaches or failures to secure a database. This could be the case with Switch, too.
Storing Unencrypted Sensitive Data is Asking for Trouble
Our security researcher Aaron Phillips shared the following remarks: “This is a nightmare scenario for fintech app publishers. Storing personal documents unencrypted is unacceptable, and Switch users deserve better. These documents are some of the most sensitive pieces of PII that could possibly be leaked.”