- According to reports, the Vivifi Indian Loan Company has suffered a data violation
- 36 million files were exposed
- These consisted mainly of personal identification information (PII)
A leader digital loan application has apparently exhibited confidential data from the client after a poorly configured Amazon AWS S3 was without guarantee without authentication.
Cybernews researchers discovered that the Vivifi loan supplier left 36 million files of their client’s documents (KYC) online. The main risk after data violation is that criminals will use their information to request credit cards, loans or bank accounts in identity theft or fraud schemes, so a loan company that has the information of the committed customer committed It would make almost too easy for cybercriminals.
In the escape, passports, identification cards, driver’s licenses, public service invoices, bank extracts and loan agreement letters, among other things, this is what we know so far.
Continuous research
The researchers discovered the filtration on November 28, 2024, and the cube did not close until January 16, 2025, which means that criminals had more than a month to find and access the data, although there is no evidence that suggest that none, only an internal forensic audit would determine this.
Know that your client’s documents (KYC) are used by financial institutions to ensure that they comply with regulations and laws regarding the identity, address and income test. However, unfortunately, all this is a cybercriminal would need to take a loan in the name of a victim or create particularly convincing social engineering attacks.
“For example, attackers could use details of the filtering loan agreement or bank information to request urgent payments or account verification,” Cybernew investigators said.
“In some cases, these personal data can be added and sold in the dark network, further increasing the danger and complicating efforts so that the victims protect their privacy and ensure their identities,” the team added.
Data violations are too common, and Fintech companies are not immune. In early 2025, the Mexican firm of Fintech Miio suffered a similar data violation that presented millions of confidential data files, although significantly less than Vivifi’s escape.
Severe risk for customers
This data violation is, unfortunately, the perfect opportunity for an attacker. KyC documents are exactly what cybercriminals need to facilitate identity theft and fraud. With identification documents and personal identification information (PII), attackers can obtain a loan, a credit card or create new bank accounts in your name.
To stay safe from this, the key is to remain alert and monitor your accounts. There are identity theft protection plans for individuals and for families, which essentially make monitoring for you, they often provide $ 1 million or more in insurance plans, as well as dark web monitoring and antimalware software, which can be very complicated for set up on your own.
If you want to monitor yourself, you may not have been directly affected by a violation, but you want to stay protected, then here are the things you are attentive.
First, they are your bank extracts, accounts and transactions: if you see any suspicious activity, alert your bank immediately and freeze or pause your card if you can.
Then, create a solid and safe password for each individual account, or at least for those that contain financial, health or confidential information, and if a service that uses is involved in a cyber -cyber -rape or attack, be sure to change the password directly far.
Although it is a pain, enabling multifactor authentication or MFA is an additional layer of intruder protection, so for those accounts with confidential information, it is vital.
When PII filters, there is always an additional danger of social engineering attacks such as Phishing, which will use non -compliance data to determine what services regularly uses, what are your interests or even your friends and family.
From there, the attackers will send an email that passes through one of the previous ones, and will deceive him to click a malicious link, scan a QR code or give them their data.
Be attentive to unexpected communications and carefully observe the sender of emails; If you are not sure, do not press any link and look for the legitimate email address, or communicate with the company directly through your website.
Remember, your bank will not ask for the details of your account by phone or by email, and they will not ask you to transfer your funds to a different account.
