Alleged data leak exposes private messages of 846,000 iCredit customers

·
October 15, 2024
·
2 min read
Data breach

The news: 

  • A data breach at Nigerian Fintech company BestFin Nigeria has exposed the sensitive personal information of 846,000 of its loan app customers, including personal communication, according to Cybernews
  • The breach, found on an unsecured MongoDB database, raises serious concerns about data privacy and the ethical practices of digital lending apps in the country.

On July 2, 2024, Cybernews detected an unprotected 300GB database belonging to BestFin Nigeria, the company behind the iCredit app, an online loan app in Nigeria. 

The exposed data included sensitive personal details such as names, phone numbers, email addresses, and home addresses. 

The company also collected alarming amounts of private data, such as a list of contacts and apps installed on users' devices, SMS, including personal communications unrelated to loans, and Bank Verification Number (BVN) validation logs. 

The leak revealed an unsettling aspect of the company’s operations, as they collected not just financial information but personal communications. 

Advertisement

This level of intrusion, according to Cybernews, raises questions about the legality of their practices under Nigeria’s Data Privacy Regulations, which prohibit accessing user contact lists and private messages.

The leaked data also revealed unethical practices among loan recovery agents, such as harassment, blackmail, and threats to publicly disclose borrowers' private financial information. These practices reflect broader issues in Nigeria's digital lending space, where aggressive debt collection tactics have become commonplace.

What’s more, the database appeared to have been compromised by an external threat actor, with a ransom note demanding 0.01 bitcoin (around $640) to restore access. This indicates that the exposed information was likely accessed by cybercriminals, further endangering the affected users.

READ MORE   We did not make $26 billion from Nigeria — Binance CEO

While this is just one case, it shines a light on the broader practices of digital lending services in Nigeria, many of which have already faced regulatory action. 

In response to growing concerns, the Nigerian government has committed to tightening data privacy regulations in 2024. Still, this incident highlights the immediate need for stricter enforcement and greater protection for consumers.

Let the best of tech news come to you
Join 30,000 subscribers who receive Techpoint Digest, a fun week-daily 5-minute roundup of happenings in African and global tech, directly in your inbox, hours before everyone else.
Digest Subscription

Give it a try, you can unsubscribe anytime. Privacy Policy.

Despite follow-up efforts by Cybernews to alert BestFin Nigeria to the leak, the database remained accessible until August 26, 2024. 

Customers using the iCredit app are advised to be vigilant for phishing scams and attempts to exploit their exposed data. 

This breach serves as a stark reminder of the risks consumers face when their sensitive information is inadequately protected.

Subscribe To Techpoint Digest
Join thousands of subscribers to receive our fun week-daily 5-minute roundup of happenings in African and global tech, directly in your inbox, hours before everyone else.
This is A daily 5-minute roundup of happenings in African and global tech, sent directly to your email inbox, between 5 a.m. and 7 a.m (WAT) every week day! 
Digest Subscription

Give it a try, you can unsubscribe anytime. Privacy Policy.

Other Stories
43b, Emina Cres, Allen, Ikeja.

 Techpremier Media Limited. All rights reserved
magnifier