Instant Loan App: Defunct CashMama, and Loan Zone, MeraLoan Leaking Customers' Sensitive Data, Says Report
Moneylife Digital Team 11 April 2022
Personal identification information (PII), such as ID photos, loan agreements and other files exposing a wide variety of sensitive data, such as full names, email addresses, national IDs, phone numbers, bank accounts containing more than 6.5mn (million) files, totalling over 1TB (terabyte) of data, are being leaked from (now) instant loan app CashMama and three other apps associated with it, says a report.  
The security team at SafetyDetetectives discovered a data breach affecting CashMama, which was left in an open form on Amazon's S3 bucket. It says, "The bucket's content included PII and sensitive data belonging to the customers of at least four instant loan apps: CashMama, Loan Zone (also known as Vayloan), MeraLoan, and an unidentified app. We observed a large amount of personal data that was collected for each app. We observed ten different file collections on the bucket. Each file collection was comprised of one or more folders that contained similar files. Each collection's data relates to one of the instant loan apps on the bucket." 
According to SafetyDetetectives, the unidentified app's data was stored under an app name, though it could not specify exactly which app this name referenced. "A small portion of files have an unknown origin — this data could've been collected for one of the loan apps mentioned, or, it could've been collected for a completely different instant loans app," it says.
Founded in 2018 in Hyderabad, CashMama is now defunct after it was found to be allegedly involved in an instant loan app scam. CashMama promised convenience with a loan application and screening process that was 100% online. 
"CashMama was owned by the parent company Onion Credit Pvt Ltd, which also operated other instant loan apps with data on the open bucket, such as Loan Zone and MeraLoan. Each of these apps is implicated in allegations of racketeering. Onion Credit's representatives were arrested in late 2020 following allegations of blackmail, harassment, coercion, and financial fraud," says SafetyDetetectives.
CashMama's open bucket demonstrates functionality that allows its owners to snoop on customers via several mobile apps and related services. "Loan agreements exposed a large portion of this PII and sensitive data, information that belongs to CashMama's customers. Loan agreements appear to document contracts between customers and instant loan companies.
"Alternatively, loan agreements could have been sent to the non-bank financial companies (NBFCs) funding the loans. There were almost 300,000 loan agreements on the misconfigured bucket."
According to the investigation, images data found from CashMama's bucket included technical information about users' photos without containing the photos themselves. Images data exposed the PII and sensitive data of CashMama customers and was found on epoch files. Nearly 200,000 epoch files exposed the data of around 100,000 CashMama customers.
"ID photo files contained ID photos presumably collected during the application and identification process. We believe these photos exposed the PII of LoanZone/Vayloan customers, though, we can't be certain. Over 2.3 million of these files were observed on the open bucket. Processed ID cards contained over 170,000 plaintext IDs. Here, ID cards were converted into plaintext via optical character recognition—a technology that scans images for text," the report says.
Further, CashMama's Amazon web service (AWS) S3 bucket contained nearly 650,000 SMS data files and almost 1mn SMS and contact history files—the latter exposed phone-related data for over 350,000 customers. Device info that likely belonged to LoanZone or Vayloan users was also found in a Vayloan fingerprint data folder. We saw over 600,000 files in this folder that contained this form of sensitive user data.
MeraLoan users had their mobile phone contacts data exposed in MeraLoan applications and contracts files. One folder on the bucket stored over 7,000 files containing MeraLoan users' contacts. "We don't know whether or not the app requested access to users' contacts to gather this data. If the app did request access, users need to be aware that access to contacts gives the app permission to download all contact files, including the details contained within contacts," SafetyDetetectives says.
CashMama's unsecured Amazon S3 bucket was not live and was not being used at the time of discovery and files on the bucket were dated from October 2020 to April 2021.
"Amazon is not responsible for the management of CashMama's AWS S3 bucket and is therefore not responsible for this data breach. Considering the number of unique files we observed, we estimate there are around 200,000 to 600,000 customers exposed in CashMama's data breach," the report says.
According to SafetyDetetectives, CashMama's bucket contained data that was seemingly collected from users' phones. It says, "We don't know whether access to this data was granted by users in app permissions or not. If the apps did request permissions, the bucket demonstrates the extent to which apps can legally gather user data, and how this data collection can ultimately place users in danger. Users must carefully read permissions before downloading an app. Importantly, users must be able to understand the data to which each app permission grants access."
As reported by Moneylife, while usurious lenders, charging astronomical interest and masquerading this as processing fees (to beat the Usurious Loans Act) continue to wreak havoc among desperate borrowers, the Union government has washed its hands off the issue. 
In February last year, a written reply in the Lok Sabha, the ministry of electronics & information technology (MeitY) says, police and public order are state subjects and states and Union Territories (UTs) are primarily responsible for prevention, detection, investigation, and prosecution of crimes including misuse of social media through their law enforcement machinery.
Further, instead of taking cognizance of the serious issues, the ministry simply shared Google Play Store policy in its reply.
As reported by Moneylife , the apps, which lend small sums between Rs2,000 to Rs10,000, target low-income and financial unsavvy Indians, who fail to realise how quickly their small borrowings can balloon into a huge loan. The harassment that follows has driven many young people to suicide, pushing the police to act.
Earlier in December 2020, the Reserve Bank of India (RBI) had warned borrowers not to go to unauthorised digital lending platforms or mobile apps for obtaining a loan and never to share any know-your-customer (KYC) related documents with these entities. However, except for advising borrowers to file a complaint, RBI had not mentioned any action it has taken so far or how it proposes to curb the menace. 
According to RBI, there have been reports about individuals and small businesses falling prey to a growing number of unauthorised digital lending platforms and mobile apps on promises of getting loans in a quick and hassle-free manner.
RBI was referring to an article in The Federal, which was re-published by Moneylife which reported that thousands of customers have fallen prey to such lending platforms which are misusing data, overcharging customers, and taking advantage of the digital illiteracy. 
The article says barring a few, most such lending companies charge a high interest and processing fee on short-term loans (seven days to one month). Their interest rates vary from 25%-40% while the processing fee ranges from 15% to 20%. In addition, GST at the rate of 18% is levied on the processing fee.
You may want to read...
Free Helpline
Legal Credit