Bancoazteca.com.mx (Banco Azteca)
Over 12.5 million documents with PII related to Credit Requests exposed publicly.
Who is Banco Azteca?
“Banco Azteca is a financial institution headquartered in Mexico and is part of Grupo Elektra, which is part of Grupo Salinas, a Mexican conglomerate with interests in banking, media, retail and telecommunications.” from their Wikipedia page.
Finding the exposed data
I monitor servers for exposed data through multiple feeds, I have my own private feed but from time to time I also check the feeds of websites who scan for servers and list them. While looking at some of those servers in early September 2024 I noticed a server exposing a lot of .pdf files and after looking at a couple of them I started looking for possible contacts from Banco Azteca to notify them of this issue as all of the files I checked seem to be related to them.
Examining the data
After listing the files on the server I checked for some statistics:
Exposed files: 45,453,900 .pdf files: 12,545,450 Size: 1940.52 GB
The files that weren’t .pdf files were .cns and .exp files containing some export information on the .pdf files.
I did not check the millions of files exposed but from the ones I checked this server was probably something setup for credit requests.
Some examples of the documents exposed:
- Solicitud de Crédito (Credit requests) - Autorización para solicitar Reportes de Crédito Personas Físicas ( Authorization to request credit reports related to a person) - Certificado / Consentimiento individual de seguro de vida (Individual insurance certification/consent documents)
Initial attempts at notification
On September 7th after searching for contacts from the bank, I emailed them with the information I had.
From all the emails I sent in the past trying to notify companies, I know that unless something changes after a couple of days it usually it means no one read your email/ignored it, so I started looking for other contact options and found the email for the president of INAI (Mexican Data Protection Agency) which I emailed on the night of September 9th.
I woke up the next day and thought that maybe people couldn’t understand what I was trying to say on my emails so I sent another email, in Spanish this time, to the emails I tried to reach out before. This didn’t work either.
Someone eventually reads my emails
Almost a week after the initial emails were sent, nothing had changed, the server was still exposed and I had no replies, so I went to look yet again for different options.
This time I found a couple of CERT emails (cert@banxico.org.mx and cert-mx@gn.gob.mx) so I tried those on September 15th.
This was already looking like I wasn’t getting anywhere and I would have to either just let it go or look for yet another place to contact who might be able to help out when I got a reply from INAI with an official document related to my complaint that basically said to file the complaint again and provide my personal information.
I do not give out my personal information randomly just because I’m trying to alert companies of security issues so I didn’t reply to the email at first but would eventually, if not for less than 2 hours later, Grupo Salinas CTI team (Grupo Salinas are the owners of Banco Azteca) reaching out to me through email.
The email font is so small for some reason that I had to zoom to 200% to even read what the email said so I’ll add the transcript instead of a screenshot of it.
“Hi Jayeltee,
I hope you're doing well. My name is Mario, and I’m part of the Cyber Threat Intelligence team at Grupo Salinas, which includes Banco Azteca. I’m reaching out because your case has been referred to us. I apologize that Banco Azteca didn’t address your findings properly, but my team and I are the right channel for reporting these kinds of discoveries.
We appreciate your work in advance, and I would like to ask you a couple of questions:
Could you share the method you used to make this discovery?
Have you found anything else we should be aware of?
I look forward to hearing from you. Thanks again for your collaboration!
Regards!”
I sent 2 emails over the next 5 days with the information I had about this but didn’t get a reply back. On September 26th a member of the CTI team sent me a private message on infosec.exchange asking if I would be open to discuss this matter, apparently my emails were being blocked by their provider and they never got them. I gave my Signal to this person and spent the next 2 months in contact with them trying to get this closed down which proved to be quite a challenge.
Minimizing the exposure and trying to help close the server
The first thing I did when I got in contact through Signal was update them with the information I tried sending by email almost a week before, which included on what website their data was indexed and what I think they do to scan and find valid exposed servers.
Delisting the server
I know this website delist and remove servers on request. I was dealing with another server at the same time containing really sensitive pictures and was filing a request to have it delisted so I explained that I was in contact with the bank and if they could delist that server as well to minimize exposure until it got fixed. The same day I got an email confirming they would delist the servers and both stopped showing on the website shortly after.
I have a couple of older lists of what was indexed on this website so I checked and could see the server listed there as far back as February 2022 (Could be longer, I don’t have much when it comes to logs that old).
MSRC Portal is useless
Around a month later on October 21st, since this was still exposed, I sent another message with some more information I gathered, mainly the 2022 date from my logs and that all the files inside the server were uploaded between 2017 and 2018.
I was told that despite multiple attempts at contact with Microsoft (their cloud provider) to help out on this, they were yet to get any sort of response from them. I was also asked what do I do to request the removal of this types of repositories because they weren’t getting anywhere so I told him:
Microsoft does not reply at all, at least to me, through their MSRC portal, unless you do some “creative” things when you select the option you want to report. The best option for him would be to either involve the bank legal team and make this a legal matter or try to get in contact with someone there directly.
Why couldn’t the bank just login to the account and close down the server themselves? Well I never asked but either because this was set up by a 3rd party or someone that wasn’t at the bank anymore, the bank was having an hard time finding anyone directly responsible for the server and obviously Microsoft wasn’t being of any help on that front either.
Recruiting help from a Microsoft employee
Around a week after the last exchange with the bank contact I was dealing with a different issue related to Microsoft and managed to get a contact for a security person from another Microsoft team and I wanted to make them aware the issue wasn’t just with me so I mentioned this whole bank situation to them which made them open an internal ticket and until the server was closed this person tried to help close it down internally.
I updated my bank contact with this information and they asked if they could get someone from Microsoft to contact them or if they could get a contact so they could reach out, I forwarded the request to the person I was talking with and know this was asked but as far as I’m aware no one ever reached out from Microsoft.
The server finally closes, 2 months later
On the morning of November 20th I saw the server was finally closed down so I sent a message to my bank contact which told me after talking to a lot of people they finally got someones attention and with the help of their Microsoft Customer Success Account Manager, they managed to close this down.
They also told me that apparently to close down this type of repositories the organizations must file the complaints themselves and if they have a Microsoft Account Manager, they can use that to escalate the case.
Final notes
Microsoft sucks. Really, it does. I’ve tried multiple times to get in contact and it almost never works. I’ve also heard from multiple companies that are their actual clients and apparently it’s not easy either for them. I am working on another post that involves them where I’ll actually show examples of what it is dealing with them from my end. Fortunately there are still good people that work there and try and help the best they can.
This is probably the incident I’ve reported where I “did” the most for any company. The only reason I mentioned this company instead of any of the dozens I’ve tried to notify before that are also Microsoft clients or went out of my way to get their server delisted is simply because this was one of the rare instances where someone actually replied to me and kept in contact. If a company doesn’t reply to me, I won’t go out of my way to actively minimize any exposure, I’ll just keep trying to contact official channels until I give up on them.
The files on this server were all from 2017-2018, it’s possible this was exposed and forgotten that long ago, I can only confirm it being exposed since February 2022 though.