Sensitive Details of Student Loan Applicants Leaked via Call Recordings

Last updated September 25, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

Security researchers have discovered yet another unsecured Amazon S3 server that belonged to the “Student Advocates Group.” This entity was characterized as fraudulent by FTC last year - who also took legal action against them. Now, the damage to the loan applicants became even worse than what they had to sustain by the scheme, as their sensitive details were contained in the unprotected database. A peculiarity that concerns this incident is that the database wasn’t only hosting listings of documents with user details, but also call recordings.

The leaking bucket contained the following files:

tax return

Source: securityaffairs.co

The call recordings are the most catastrophic for the students, as the support agent begins by confirming the other person’s details. This includes the following things:

In some cases, the call recordings also include the following information:

These are extremely sensitive details that should have been treated with extra care, but unfortunately, they weren’t. The students who had no other choice than to trust the “Student Advocates Group” will now have to deal with the additional risks of identity theft, scamming, and extortion. Considering that these people were already in a dire financial position, the effects of this latest incident are magnified.

The researchers discovered the S3 bucket on April 29, 2020, but the loan agency didn’t respond to the warning messages. Thus, the researchers reached out to Amazon on May 7, 2020, and the database was eventually secured on May 26, 2020. So, the data was accessible for approximately a full month, which should be more than enough for malicious actors to locate it and download everything. Considering that there are about 56,500 social security numbers there, selling this data would make the actors between $275,000 and $4.4 million.

As for whether your personal details are included in the leaked data or not, the timestamps of the datasets range between early- to mid-2018 and January 21, 2020. If you have spoken with an agent of the Student Advocates Group, the Progress Advocates Group, the Assurance Solution Services, or the Equitable Acceptance Corporation (all under the same umbrella) for the approval of a loan application consider yourself exp



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: