The news:
- A data breach at Nigerian Fintech company BestFin Nigeria has exposed the sensitive personal information of 846,000 of its loan app customers, including personal communication, according to Cybernews.
- The breach, found on an unsecured MongoDB database, raises serious concerns about data privacy and the ethical practices of digital lending apps in the country.
On July 2, 2024, Cybernews detected an unprotected 300GB database belonging to BestFin Nigeria, the company behind the iCredit app, an online loan app in Nigeria.
The exposed data included sensitive personal details such as names, phone numbers, email addresses, and home addresses.
The company also collected alarming amounts of private data, such as a list of contacts and apps installed on users' devices, SMS, including personal communications unrelated to loans, and Bank Verification Number (BVN) validation logs.
The leak revealed an unsettling aspect of the company’s operations, as they collected not just financial information but personal communications.
This level of intrusion, according to Cybernews, raises questions about the legality of their practices under Nigeria’s Data Privacy Regulations, which prohibit accessing user contact lists and private messages.
The leaked data also revealed unethical practices among loan recovery agents, such as harassment, blackmail, and threats to publicly disclose borrowers' private financial information. These practices reflect broader issues in Nigeria's digital lending space, where aggressive debt collection tactics have become commonplace.
What’s more, the database appeared to have been compromised by an external threat actor, with a ransom note demanding 0.01 bitcoin (around $640) to restore access. This indicates that the exposed information was likely accessed by cybercriminals, further endangering the affected users.
While this is just one case, it shines a light on the broader practices of digital lending services in Nigeria, many of which have already faced regulatory action.
In response to growing concerns, the Nigerian government has committed to tightening data privacy regulations in 2024. Still, this incident highlights the immediate need for stricter enforcement and greater protection for consumers.
Give it a try, you can unsubscribe anytime. Privacy Policy.
Despite follow-up efforts by Cybernews to alert BestFin Nigeria to the leak, the database remained accessible until August 26, 2024.
Customers using the iCredit app are advised to be vigilant for phishing scams and attempts to exploit their exposed data.
This breach serves as a stark reminder of the risks consumers face when their sensitive information is inadequately protected.