700Credit, a U.S.-based financial services and fintech company, will start notifying more than 5.8 million people that their personal information has been exposed in a data breach incident.
The cyberattack occurred after a threat actor had breached one of 700Credit's integration partners in July and discovered an API for obtaining customer information. However, the partner did not inform 700Credit of the compromise.
700Credit noticed suspicious activity on its systems on October 25 and launched an investigation, with assistance from third-party computer forensic specialists.
"The investigation determined that certain records in the web application relating to customers of its dealership clients were copied without authorization," 700Credit says in the notification to affected individuals.
According to 700Credit Managing Director Ken Hill, the attacker managed to steal around 20% of consumer data from May to October before the company terminated the exposed API.
The threat actor was able to exfiltrate data due to a security vulnerability in the API, a failure to validate consumer reference IDs against the original requester.
The data types that have been exposed include:
Full name
Physical address
Date of birth
... continue reading