Security researcher Jeremiah Fowler together with the Website Planet research team found an unsecured Transcredit data leak of 822,789 records of user information.
Transcredit Data Leak
The database included data on truckers, transport companies, loans, repayment, and debt collections, and other data specifically for the transportation industry. This included banking information and tax ID numbers. Many of the Tax IDs were consistent with what appeared to be Social Security Numbers stored in plaintext.
- Total Records: 822,789. Internal records that include customers first and last names, emails, bank information, Tax ID numbers that appear to be SSN and EIN (Employer Identification Number). These individuals could be at risk of a targeted social engineering attack using insider information.
- Detailed notes on collections, payment histories, new applicants, status and progress. References to “TransCredit” and “Transcore”
- Internal Passwords and login IDs / Usernames, account numbers. We can only assume that these could be used to access the user portal. (We do not circumvent password protections or attempt to validate user credentials for ethical reasons).
The team says that TransCredit works similarly to traditional credit scores. The company exists specifically for the transportation industry. It assigns a risk assessment score that ranges from 0 to 99, with 0 being high risk and 99 being the lowest risk. Once they apply a scoring system it gives an idea of risk for both shipper, drivers, and transport companies. Some carriers rely on a scoring system and disqualify shippers with a poor rating.
The team also says: “Although there were many references to TransCredit inside the database and 600k “Credit Reports”, we did not receive a reply from anyone at TransCredit verifying if the data did indeed belong to them. It is not clear if this data was exposed by a contractor or a 3rd party who had access to these reports, or if this was in fact TransCredit’s internal database?”