Researchers at Cybernews.com recently discovered an unsecured Amazon Simple Storage Service (S3) containing a huge trove of data from a student l
Researchers at Cybernews.com recently discovered an unsecured Amazon Simple Storage Service (S3) containing a huge trove of data from a student loan company.
Researchers at Cybernews.com recently discovered an unsecured Amazon Simple Storage Service (S3) bucket that contains more than 55,000 call recordings between loan support workers and American consumers with outstanding student loans.
This open database also contains more than 25,000 PDFs, many of which are scans or photos of proof of income (such as pay receipts or tax returns). Both the proofs of income and call recordings contain the loaners’ social security numbers, among other sensitive personal data.
The database seems to belong to members of the Student Advocates Group, which an FTC press release named as a student loan debt relief scheme that “bilked millions out of consumers by charging illegal upfront fees and falsely promising to lower or even eliminate consumers’ loan payments or balances.”
Because the bucket contains sensitive data from people across the US, including California residents, the bucket owner may have to pay damages and penalties under the CCPA, since:
- The leaked data contains highly personal information (including names plus social security numbers and tax ID numbers,)
- The data is both non-encrypted and non-redacted (all samples in this article have been redacted by CyberNews)
- The leak is “a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”
Some of the call recordings take place in early- to mid-2018. However, one proof of income document was submitted on January 21, 2020.
On April 29, we unsuccessfully tried to contact representatives from the Student Advocates Group. We then contacted Amazon on May 7, and they were able to secure the indexing on May 9. Unfortunatley, the database files were still accessible when we checked on May 21, and Amazon finally secured the database files on May 26.
What data is in the bucket?
There are two groups of files in the unsecured S3 bucket:
- call recordings (as both MP3 and WAV files)
- PDF scans of documents
The bucket contains a total of 56,422 call recordings, which is composed of 51,879 MP3 files and 4,543 WAV files.
Of the recordings we analyzed, most of them seem to have taken place in early- to mid-2018. The recordings were apparently made for quality control, but they are not censored. One support agent called them a “two-minute quality control recording” that served as a “financing verification call recording.” However, many of the recordings are roughly 5 minutes, with one phone call lasting more than 33 minutes.
Some phone calls, featuring what appears to be the same support agent, record before and after this “quality control recording” portion, even though recording is supposed to begin only after the agent confirms the recording (“This call is being recorded for quality assurance purposes. Is that OK?”).
At the beginning of the calls, the support agent confirms the following details with the consumer:
- social security number
- date of birth
- phone number
Other calls also include:
- credit card number, CVV and expiration date
- banking information (account and routing numbers)
- PIN numbers
- occupation and employer information
- total loan amount
- emergency contact names and relationships
Some loan support agents help consumers set up security questions (like the name of their high school mascot, their first pet, etc.) so that the consumer can verify that the call is coming from the loan company.
The recordings also reveal information about outstanding loan amounts, and monthly payments that the caller is agreeing to. Based on the above call format, it’s likely that there are roughly 56,500 social security numbers being leaked in this database.
The bucket contains 25,143 PDFs. The documents in question often serve as proof of income that the support agents regularly ask for in the call recordings.
These documents are likely needed so that the loan company can apply for the free income-driven government repayment plans, such as the PAYE (Pay As You Earn Repayment Plan) or IBR (Income-Based Repayment Plan).
The PDFs include tax returns:
Income-driven repayment requests:
Direct deposit receipts:
All of these are sensitive documents, and some contain multiple social security numbers.
Who owns the bucket?
All of the calls reference Equitable Acceptance Corporation as a third-party lender, which led us to believe that they are the owner of the bucket. However, in one of the calls, the loan support agent provides a customer a phone number connected to the Progress Advocates Group LLC (PAG), a company that offers “student loan consolidation services.”
PAG is related to the Student Advocates Group debt relief scheme, which the FTC claims stole millions of dollars from American consumers by misleading them about its ability to lower their student loan debt.
According to this FTC complaint [pdf], PAG is part of a group of companies that operated “a nationwide debt relief telemarketing scam preying on thousands of consumers struggling with student loan debt.”
For simplicity, we call this group of companies the Student Advocates Group Scheme (SAGS). This group involved the following companies:
- Progress Advocates Group, LLC
- Student Advocates Team, LLC
- Student Advocates Group, LLC
- Assurance Solution Services, LLC
- Equitable Acceptance Corporation (not in SAGS, but it provided financing. In one call recording, the support agent says that EAC is a “finance company helping us finance you.”)
Based on the FTC complaint, the SAGS scam involved the various LLCs contacting and convincing struggling consumers that SAGS can help them lower or eliminate their student loan debt. For their services, SAGS charged consumers up to $1,400. However, the US government makes these services available for free to consumers.
Because most of these consumers are not able to pay the deposit (up to $1,400) upfront, SAGS allows them to pay the fees by financing with Equitable Acceptance Corporation (EAC). EAC would then charge these struggling consumers roughly $40/month for months or years, since the financing came with high 20.99% interest rates:
Since late 2019, EAC has been banned from engaging in debt relief products and services [pdf], or misrepresenting its products and services. In New York, EAC was banned from collecting on any of its high-interest scam loans, as well as from financing debt relief products or services in the state. EAC is also engaged in other student loan scam complaints.
However, the FTC’s case against the SAGS companies is still pending. Nonetheless, this unsecured S3 bucket will be another blow to the infamous debt relief group of companies.
Who had access?
While at the moment it is unknown for how long the data has been left unprotected, it is possible that the data has been accessed by other people, possibly bad actors, due to the following two reasons:
- The earliest confirmed data goes back to 2018
- It is very easy to access unsecured Amazon S3 buckets, as long as you know where to look
For that reason, it is best to assume that consumers who were customers of EAC or the SAGS group should check that their identities haven’t been stolen, or their financial information used.
What’s the impact?
The price of social security numbers in combination with names and other details can grab good prices on the black market. One PCMag article pits it at $60-$80, while our own scans of the black market can put this data at $5 a piece.
With a likely 55,000 social security numbers contained in this bucket, that would put the value of this leak at $275,000-$4.4 million.
Besides selling this data, with social security numbers bad actors can:
- take out loans in your name
- apply for credit cards
- collect tax refunds
- collect benefits and income
- commit crimes
- set up phone numbers, websites and residences
- use your health insurance
Seeing as some phone calls contained full credit card details, bad actors can also make unauthorized purchases. All of this data can also be used to launch very convincing phishing campaigns.
We identified members of the Student Advocates Group as the owner of the database and attempted to notify the company about the leak. However, there was no visible contact information on any of the websites associated with the group, so we attempted to contact Student Advocates representative on LinkedIn on April 29, 2020. However, we received no answer.
On May 4, we reached out to Amazon to help them secure the bucket. After providing them with more information on May 7, they were able to secure the bucket on May 9, and it appeared to no longer be accessible to the outside.
However, on May 21 we noticed that files within the bucket were accessible, as we could download the same types of files (audio recordings and documents). We notified Amazon again the same day, and they were able to secure the files on May 26.
Original Post available at:
(SecurityAffairs – student loan company, cybersecurity)