Cybersecurity researcher Jeremiah Fowler has identified a misconfigured and unsecured server that exposed 378 GB of sensitive internal files belonging to Navy Federal Credit Union (NFCU), the largest credit union in the United States serving military personnel. Fortunately, no member data was compromised during this incident.
This server, shared with Hackread.com, contained a significant collection of unencrypted backup data, accessible to anyone without authentication. Jeremiah Fowler, associated with Website Planet, highlighted the severity of this oversight, which has serious implications for data security at NFCU.
The database, while lacking direct customer information, nonetheless held sensitive materials such as internal usernames, email addresses, and potentially hashed passwords, along with critical operational data. Fowler’s investigation revealed user roles and various Tableau workbook documents, which are typically used for data analysis. These files included significant connection details to other internal databases, as well as formulas utilized to evaluate financial performance metrics, such as loan performance and profitability.
Even though member data wasn’t directly exposed, the nature of the revealed files could provide malicious actors with a comprehensive understanding of the credit union’s internal operational architecture. Additionally, the backup files contained system logs and product codes that should have remained confidential, furthering the risk to the organization’s data integrity and security protocols.
While customer data was not directly compromised, this security lapse poses a severe risk. Fowler cautions that such leaks could furnish criminals with a “roadmap” for future attacks. The exposed internal email addresses and user names could be exploited for targeted phishing attempts, potentially giving attackers deeper access to the organization’s networks.
Fowler emphasized that the exposed files do not have to contain direct data to pose a danger. They may reveal underlying structures or metadata that indicate how backup software associates these files with production systems. He promptly alerted NFCU about his findings, and the database was secured within a few hours. However, uncertainty remains regarding the duration of the exposure and whether unauthorized individuals accessed the sensitive information.
This incident underscores the necessity for organizations to treat all backup data with the same rigor as live data. It highlights the importance of encrypting all backup files and conducting regular security audits, particularly involving third-party contractors. The event serves as a stark reminder for businesses to enhance their cybersecurity measures, addressing potential vulnerabilities before they can be exploited.
