San Andreas Regional Center Sends Notices of a Data Breach to Beneficiaries
Published on August 26, 2021
A New York-based company operating under the names "Advantage Capital Funding" and "Argus Capital Funding" has leaked particularly sensitive documents online via an unprotected database. The exposure came from an Android/iOS app named "MCA Wizard," which is no longer available for download. The app first launched two years ago to help the firm unite its team operations with its clients. MCA stands for "Merchant Cash Advantage," so the app's purpose was to serve as a tool that would help business owners ask for financial advice and also apply for high-interest loans.
A research team led by Noam Rotem has discovered this data leak on December 24, 2019, and figured out the owner's identity a week after. Having no contact information to warn the NY firm, they reached out to Amazon, where the S3 bucket was hosted. Finally, the cloud hosting provider took action on January 9, 2020, and hopefully, the 425 GB of data was secured before any malicious actors had the chance to steal it. Overy 500,000 documents contained in the leaking database included the following highly-sensitive information:
The scope of the exposure is both wide and deep, as the documents that were left unprotected online could enable malicious actors to victimize the affected individuals in a variety of ways. From launching phishing campaigns and sending extorting messages, to selling confidential information on the dark web, or targeting entities with malware and ransomware - Argus and Advantage clients, partners, and customers were all put at great risk. If you have done business with the firm in the past, contact them immediately and ask about how this breach impacts you specifically.
Although this is a very impactful data breach, it is unlikely that Argus and Advantage will face significant legal trouble. The associated laws in the United States remain pretty lax, except for the CCPA (California Consumer Privacy Act), which obliges the firm to submit a detailed report about what happened. The responsibility for this may be rolled over to the developer of the MCA Wizard app, depending on who was responsible for its uploading, and what was its role online, as there is no clear connection between the two companies and the MCA found anywhere online.