Kromtech Security Researchers say they discovered a “massive trove of data” from both businesses and investors on the online lending platform Funding Circle. The data only referenced US based customers and did not impact other markets where Funding Circle originates loans.
Reportedly, no data was compromised or stolen. Funding Circle told Kromtech;
“A security researcher informed us of a vulnerability in one of our databases. As soon as we learned of the issue, we launched a full investigation, determined the cause, and immediately implemented a fix. Our log analysis highlights that there was no other access of this data by a third party other than the security researcher. We are grateful to him for bringing this to our attention and are currently conducting a full analysis with third-party support to ensure independent verification of our findings.”
Kromtech confirmed the vulnerability had been addressed and the information was no longer open to access.
The company said the following information was unsecured at the time of the discovery:
- 5,974 U. business owners social security numbers and 3,946 EIN numbers, credit scores, and business loan histories
- Millions of US business names and contact information
- Over 13 million marketing email addresses with the contacts of decision-makers inside businesses and government organizations.
- More than 45 thousand internal notes that summarize customer updates or conversations from loan servicing.
Funding Circle is one of the most successful online business lenders in the world. First launched in the UK in 2010, Funding Circle then launched in the US in October 2013, and Continental Europe two years later. Investors have lent more than £2.9 billion to 30,300 businesses globally.
While Funding Circle has clarified that no data was stolen the incident is a cautionary note on the heightened degree of security needed to protect individual and business information in all financial services.
Kromtech is a software provider that produces products for Mac OS and iOS.