Misconfigured Server Leaks 378GB of Navy Federal Credit Union Files

Cybersecurity researcher Jeremiah Fowler discovered an unsecured and misconfigured server exposing 378 GB of internal Navy Federal Credit Union (NFCU) files, including operational data from Tableau, but no customer information.

A misconfigured server has been discovered that contained sensitive internal files of what appears to be the nation’s largest credit union serving military members, Navy Federal Credit Union (NFCU).

This research, shared with Hackread.com, was conducted by Jeremiah Fowler of Website Planet, who found a trove of unencrypted backup data. The database was open and unprotected, meaning anyone could have accessed it without a password.

It is worth noting that the database, which totalled a massive 378 GB, did not contain any credit union member data in plain text. However, the exposed files contained a mix of potentially sensitive information, including internal user names, email addresses, and possibly hashed passwords and keys.

Screenshots taken by Fowler for verification showed details about user roles within the credit union. Inside the database, Fowler found numerous Tableau workbook documents. For your information, these are files created by a business platform that helps analyse data. The files contained valuable information such as connection details to other internal databases and formulas used to calculate financial metrics like loan performance and profits.

This information, while not customer data, could act as a “blueprint” for how the credit union’s internal systems operate. Furthermore, the backup files included important system information, such as logs, product codes, and data that should have remained private.

While no customer data was directly exposed, the security lapse still presents a serious risk. According to Fowler, this type of leaked information can provide criminals with a “roadmap” for future attacks. Threat actors could use the exposed internal emails and names to target employees with highly convincing phishing attempts, potentially gaining deeper access to the network.

“These files can sometimes be just a representation of the production data, but they still may reveal underlying structures or metadata that indicate how the backup software associates or connects these files to production systems,” Fowler noted in his report.

Fowler immediately reported his findings to NFCU, and the database was secured within a few hours. However, it is not known how long the database was exposed or if anyone else accessed the information.

This incident shows that organisations must treat all backup data with the same level of security as live data. Also, it backs the need for companies to encrypt all backup files and regularly audit security protocols, including those of third-party contractors.