1. Business

National Credit Federation exposed 40,000 customers' finance data

The National Credit Federation exposed sensitive financial data for 40,000 customers in October, a security research firm found. Pictured is Herschel Bentley, CEO of NCF. | [Courtesy of National Credit Federation]
Published Dec. 6, 2017

TAMPA — A Tampa-based financial company that caters to consumers with damaged credit exposed 40,000 customers' extremely sensitive personal data. The National Credit Federation's data exposure was discovered by security research firm UpGuard, which recently published a report on the incident.

"These are agencies that we are trusting to take care of our credit and information," Sri Sridharan, executive director of the Florida Center for Cybersecurity in Tampa, said. "That they are so careless about it is appalling."

NCF is a credit repair company that disputes incorrect or "misleading" items on its customers' credit reports to build customers' financial standing over time. It operates around the country.

"Our mission is to help people who are currently in or have successfully come through a financial crisis take back control of their finances and credit," the firm's website says.

NCF did not return requests for comment for this article. However, the URL was disabled, according to California-based UpGuard, which found the exposed data in early October. The URL was not indexed by search engines.

It includes some of the most sensitive personal information: names, addresses, dates of birth, images of driver's licenses and social security cards, full credit card numbers, full bank account numbers, credit reports from all three major agencies and detailed financial histories.

"There really is no other information that is more sensitive in terms of what it can do in dollars-and-cents damage to people," said Joseph Jerome, policy counsel at the Center for Democracy and Technology. Jerome specializes in privacy and data.

In the wrong hands, that information could be used to empty bank accounts, file fake tax returns, take out mortgages, buy big-ticket items and steal identities.

As far as the researchers know, the data does not appear to have been used maliciously yet.

"Fortunately — hopefully — I think we were the first ones to find it," said Dan O'Sullivan, analyst with UpGuard's cyber risk team.

The issue, he said, arose when the method for accessing the information was changed.

The server with the affected data is password-protected by default, O'Sullivan said. But someone turned off that feature and enabled the data to be accessed by a URL, meaning anyone who had the URL could see the data.

"You have to take an affirmative action to change it," O'Sullivan said, as opposed to changing access by accident.

It is unclear how long the data was exposed for.

Compounding the issue is that the data was in plain text, not encrypted. Typically, sensitive data is protected by encryption, which "scrambles" the data so it can't be understood by someone who shouldn't have access to it. Because this information was not encrypted, anyone who accessed the URL could read NCF customer data the same way that you are reading this sentence.

When UpGuard found the data, it was still being updated with new customer information.

"(A criminal could have) sat there and watched it and had a constantly-refreshing source for identity theft and fraud," O'Sullivan said.

The breach comes just months after Equifax, a major credit reporting agency, announced that data for 143 million customers was stolen.

Related coverage: Equifax raiders have your data. Now what?>

For customers affected by the NCF incident, the outlook is somewhat grim. While it's good news that the data does not appear to have been accessed, that's not a guarantee.

"In my estimation, (the exposure) is very bad especially when we consider that these people already have financial difficulties and were put in a position of being victimized again," O'Sullivan said.

It is unclear if affected customers have been notified about the breach. Experts suggest NCF customers freeze their credit and monitor their bank accounts.

Contact Malena Carollo at or (727) 892-2249. Follow @malenacarollo on Twitter.


  1. Tampa Bay Lighting host a watch party on the beach at the Tradewinds resort on St. Pete Beach in February. LUIS SANTANA  |  Tampa Bay Times
    TradeWinds is the biggest resort in Pinellas County.
  2. A view of the downtown St. Petersburg skyline and waterfront from over Tampa Bay.
    The news that the Tampa Hillsborough Economic Development Corporation wants to change its name to include “Tampa Bay” has been met with resistance.
  3. The Whole Coffee Company makes Dunkin’-branded Coffee Thins as well as Tim Hortons Double Double bars and its own Whole Coffee Company-branded nudge coffee bars. (Photo courtesy The Whole Coffee Company) The Whole Coffee Company
    The Whole Coffee Company, which is based in Miami, was previously known as Tierra Nueva Fine Cocoa. ProspEquity Partners of Tampa owns a majority stake in Whole Coffee.
  4. The Corona Cove opens as the Florida Aquarium's new outdoor bar. The beer company is pledging continued donations to aid conservation efforts. Florida Aquarium
    The beer company also has pledged donations to aid conservation efforts.
  5. The Triton cantaloupe, created with help from Eckerd College. Eckerd College
    The St. Petersburg college teamed up with a central Florida plant breeder to create the Triton cantaloupe.
  6. FILE - In this May 14, 2019, fiel photo, containers are piled up at a port in Qingdao in east China's Shandong province. China’s economic growth slowed to a 26-year low in the latest quarter as a tariff war with Washington weighed on exports and auto sales and other domestic activity weakened. The world’s second-largest economy expanded by 6.2 percent in the three months ending in September, down from the previous quarter’s 6 percent, data showed Friday, Oct. 18, 2019. AP
    Growth in the world’s second-largest economy slipped to 6% in the three months ending in September, down from the previous quarter’s 6.2%, data showed Friday.
  7. Ryan Cummings, 23, left, and Alex Frey, 25, both of Tampa, rent Spin electric scooters from a corral located along Zack Street in May. St. Petersburg hopes to soon launch it's own scooter program. CHRIS URSO  |  Tampa Bay Times
    The city wants to avoid other cities’ mistakes. Scooters will not be allowed on sidewalks and must be parked in designated corrals.
  8. Sam's Club fulfillment center manager Nick Barbieri explains to a shopper how the new Scan & Go shop works at 5135 S Dale Mabry Highway. SARA DINATALE  |  Tampa Bay Times
    The shuttered store has been reinvented and debuted to the community.
  9. Yogi Goswami
    The Molekule Air Mini is a scaled-down version of its original purifier.
  10. 580 Corporate Center in Oldsmar Jones Lang LaSalle Capital Markets
    The six-building center is 91 percent occupied.