Defunct CashMama and Loan Zone, MeraLoan Leaks Sensitive Customer Data, Report Says

Personally Identifiable Information (PII), such as passport photos, loan agreements, and other files exposing a wide variety of sensitive data, such as full names, email addresses, national ID cards, phone numbers, bank accounts containing over 6.5 million (million) files, totaling over 1TB (terabyte) of data, are leaked from (now) instant loan app CashMama and three other apps associated with it , according to a report.

the safety team at SafetyDetectives discovered a data breach affecting CashMama, which was left in an open form on Amazon’s S3 bucket. It states: “The contents of the compartment included PII and sensitive data belonging to customers of at least four instant loan applications: CashMama, Loan Zone (also known as Vayloan), MeraLoan and an unidentified application. We observed a large amount of personal data. that were collected for each application. We observed ten different file collections on the bucket. Each collection of files consisted of one or more folders containing similar files. The data in each collection relates to one of the instant loan apps on the bucket.

According to SafetyDetetectives, the data from the unidentified app was stored under an app name, although it was not possible to specify exactly which app that name referred to. “A small portion of the files are of unknown origin – this data could have been collected for one of the loan applications mentioned, or it could have been collected for a completely different instant loan application,” it says.

Founded in 2018 in Hyderabad, CashMama is now defunct after it was discovered that it was allegedly involved in an instant loan app scam. CashMama promised convenience with a 100% online loan application and screening process.

“CashMama was owned by parent company Onion Credit Pvt Ltd, which also operated other instant loan apps with open bucket data, such as Loan Zone and MeraLoan. Each of these apps is implicated in racketeering allegations. Onion Credit representatives were arrested in late 2020 following allegations of blackmail, harassment, coercion and financial fraud,” says SafetyDetectives.

CashMama’s Open Bucket features a feature that allows its owners to spy on customers through several mobile apps and related services. “The loan agreements exposed a lot of this PII and sensitive data, information that belongs to CashMama customers. The loan agreements appear to document contracts between customers and instant loan companies.

“Alternatively, the loan agreements could have been sent to the non-bank financial companies (NBFCs) funding the loans. There were nearly 300,000 loan agreements on the misconfigured bucket.”

According to the investigation, the image data found in CashMama’s bucket included technical information about users’ photos without containing the photos themselves. The image data exposed PII and sensitive data of CashMama customers and was found in vintage files. Nearly 200,000 vintage files exposed the data of approximately 100,000 CashMama customers.

“The photo ID files contained photo IDs presumably collected during the application and identification process. We believe these photos exposed PII of LoanZone/Vayloan customers, however, we cannot to be certain Over 2.3 million of these files were seen on the open bucket Processed ID cards contained over 170,000 plain text identifiers Here the ID cards were converted to plain text via the optical character recognition, a technology that scans images for text,” the report said.

Additionally, CashMama’s Amazon Web Service (AWS) S3 bucket contained nearly 650,000 SMS data files and nearly one million SMS and contact history files, the latter exposing the phone data of more than 350,000 customers. Device information that likely belonged to LoanZone or Vayloan users was also found in a Vayloan fingerprint data file. We have seen over 600,000 files in this folder containing this form of sensitive user data.

MeraLoan users had their cellphone contact data exposed in MeraLoan apps and contract files. A folder on the bucket stored over 7,000 files containing MeraLoan user contacts. “We do not know whether or not the app has requested access to users’ contacts to collect this data. If the app has requested access, users should be aware that access to contacts gives the app permission to download all contact files, including contact details,” says SafetyDetectives.

CashMama’s unsecured Amazon S3 bucket was not active and unused at the time of discovery and the files in the bucket were dated October 2020 to April 2021.

“Amazon is not responsible for the management of CashMama’s AWS S3 bucket and therefore is not responsible for this data breach. Based on the number of unique files we observed, we estimate that there are approximately 200,000 to 600,000 customers exposed to the CashMama data breach,” the report states. said.

According to SafetyDetetectives, CashMama’s bucket contained data apparently collected from users’ phones. It says: “We don’t know if access to this data has been granted by users in app permissions or not. If apps have requested permissions, the bucket shows how apps can legally collect user data and how this data collection can ultimately put users at risk.Users should read permissions carefully before downloading an app.Above all, users should be able to understand what data each app permission provides access to.

As reported by Moneylife, while loan sharks, charging astronomical interest and disguising it as a processing fee (to beat the loan sharking law) continue to wreak havoc among desperate borrowers, the union government has washed its hands on the question.

In February last year, a response written in the Lok Sabha, the Ministry of Electronics and Information Technology (MeitY) stated that the police and public order are matters of state and that the States and Union Territories (UTs) are primarily responsible for the prevention, detection, investigation, and prosecution of crimes, including the misuse of social media through their enforcement mechanisms. law application.

Also, instead of taking notice of the serious issues, the ministry simply shared the Google Play Store policy in its response.

Like reported by Moneylife , the apps, which lend small amounts between Rs2,000 and Rs10,000, are targeting low-income and financially unsophisticated Indians who don’t realize how quickly their small borrowings can turn into a huge loan. The ensuing harassment drove many young people to suicide, prompting the police to take action.

Earlier in December 2020, the Reserve Bank of India (RBI) warned borrowers not to go to unauthorized digital lending platforms or mobile apps to get a loan and never share any knowledge-related documents of your customer (KYC) with these entities. However, other than advising borrowers to file a complaint, RBI has not mentioned any action it has taken so far or how it proposes to tackle the threat.

According to RBI, there have been reports of individuals and small businesses falling prey to an increasing number of unauthorized digital lending platforms and mobile apps on the promise of getting loans quickly and hassle-free.

The article says that with few exceptions, most of these loan companies charge high interest and processing fees on short-term (seven days to one month) loans. Their interest rates vary from 25% to 40% while processing fees vary from 15% to 20%. In addition, GST at the rate of 18% is levied on the processing fee.

You might want to read…

Comments are closed.