• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 

French Authorities confirm XSS.is admin arrested in Ukraine

 | 

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 

U.S. CISA urges to immediately patch Microsoft SharePoint flaw adding it to its Known Exploited Vulnerabilities catalog

 | 

Microsoft issues emergency patches for SharePoint zero-days exploited in "ToolShell" attacks

 | 

SharePoint zero-day CVE-2025-53770 actively exploited in the wild

 | 

Singapore warns China-linked group UNC3886 targets its critical infrastructure

 | 

U.S. CISA adds Fortinet FortiWeb flaw to its Known Exploited Vulnerabilities catalog

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Data Breach
  • OCR Labs exposes its systems, jeopardizing major banking clients

OCR Labs exposes its systems, jeopardizing major banking clients

Pierluigi Paganini April 06, 2023

A digital identification tool provided by OCR Labs to major banks and government agencies leaked sensitive credentials, putting clients at severe risk.

  • London-based OCR Labs is a major provider of digital ID verification tools. Its services are used by companies and financial institutions including BMW, Vodafone, the Australian government, Westpac, ANZ, HSBC, and Virgin Money.
  • A misconfiguration of the company’s systems exposed sensitive credentials to the public.
  • Data leak affected QBANK, Defence Bank, Bloom Money, Admiral Money, MA Money, and Reed.
  • Using leaked data, threat actors could potentially breach banks’ backend infrastructure and consequently the infrastructure of their clients.
  • Financial services are the main target for cybercriminals, so the threat for the organizations and their customers is severe.
  • Cybernews contacted OCR Labs, and the company fixed the issue.

The Cybernews research team discovered a misconfiguration in the OCR Labs system that exposed sensitive data.

The company is a leading provider of digital ID verification tools, with its IDkit tool being used by major banks, telecoms companies, and governmental agencies. IDKit verifies users by linking their faces to their identity documents.

The discovered data leak impacted financial institutions in Australia – QBANK, mainly used by government agency workers, Defence Bank, catering to the Australian armed forces, and MA Money, a company that focuses on residential mortgages.

The leak also affected Bloom Money and Admiral Money – two financial companies based in the UK, and Reed, which is the UK’s top recruitment agency.

Using leaked data, threat actors could potentially breach companies’ backend infrastructure and consequently the infrastructure of their clients. While financial services are the main target for cybercriminals, the threat to the organizations and their customers is severe.

Cybernews reached out to the company, and it fixed the issue.

A treasure trove of credentials

On March 8, 2023, the Cybernews research team discovered a publicly accessible environment file (.env) belonging to idkit.com, owned by OCR Labs.

The file contained database credentials, including host, port, and username, Amazon Web Services (AWS) with Simple Queue Service (SQS) access credentials, application tokens, and various application programming interface (API) keys.

Among the leaked data, researchers found Google and Liveness API keys. Liveness is used in the digital identification process, determining whether the sample belongs to a live person or a fake, thereby preventing spoofing or account-holder impersonation.

The exposure of these keys is particularly dangerous because it potentially allows an attacker to see all the API’s data and modify and update related files, pipelines, and workflows.

Researchers also stumbled upon Engine v4 credentials: while they cannot determine the exact impact of this discovery, it is related to the Know Your Customer (KYC) service, which entails verifying a client’s identity when opening an account and periodically over time to guard against money laundering. The exposure of its ID and secret can potentially compromise KYC processes.

OCR Labs
Leaked credentials for Defence Bank | Image by Cybernews

Financial data at risk

Another piece of sensitive information observed was the API key from Experian, a well-known multinational data analytics and consumer credit reporting company.

Experian collects financial data on individuals to help rate their creditworthiness. Having access to the API might enable the threat actor to access private user data such as credit score, and edit all data associated with the API.

Leaked app URLs, IDs, and tokens could have been used by threat actors to hijack OCR Labs client applications.

The exposure of AWS and SQS access credentials has put OCR Labs clients in danger. Leaking this kind of data opens up the possibility of disrupting the company’s systems operations, hampers its ability to view internal server communication, and potentially enables malicious actors to gain further access to cause harm to customers.

The discovered OAuth endpoint URL and token for business metrics could help malicious actors access private commercial information.

Wide range of attacks

This leak could have caused significant damage if malicious actors used it to take over the application instance, enabling lateral movement with a targeted system.

The environment file could potentially provide threat actors with various attack options. Ransomware deployment, and access to sensitive customer data such as personally identifiable information (PII), deposits, withdrawals, and transfers, are just a few examples of what could be done with the leaked data.

Leaked data could be highly beneficial for phishers and fraudsters who may exploit the opportunity to impersonate brokers or banks and deceive unsuspecting individuals and businesses into transferring money to scammers.

Moreover, the risk of identity theft and establishing fraudulent bank accounts, also known as bank drops, using stolen customer credentials, cannot be overlooked.

OCR Labs’ response

Immediately after Cybernews informed the company about the misconfiguration, it took all the necessary actions to remedy the situation. OCR Labs says it adheres to a vulnerability disclosure program (VDP) framework “to securely accept, triage, and rapidly remediate vulnerabilities.”

Following the framework, the company claims to have notified all impacted clients as part of their response. After an internal investigation, it stated that there was “no risk to the security of our client’s data or any of our other clients.”

“After more than 40 hours of investigation, we discovered that these reports pertained to unused demo and non-production environments and the keys which were discovered by the bots were of offline systems,” said Paul Warren-Tape of OCR Labs.

Cybernews reached out to the affected clients, but at the time of writing has not received their comment yet.

If you want to read the OCR Labs’ response and how to secure your data give a look at the original post:

https://cybernews.com/security/ocr-labs-exposes-its-systems/

About the author: Paulina Okunytė, Journalist at cyberNews

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

  • The Teacher – Most Educational Blog
  • The Entertainer – Most Entertaining Blog
  • The Tech Whizz – Best Technical Blog
  • Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, North Korea)


facebook linkedin twitter

data leak Hacking hacking news information security news IT Information Security OCR Labs Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini July 25, 2025
Mitel patches critical MiVoice MX-ONE Auth bypass flaw
Read more
Pierluigi Paganini July 24, 2025
Coyote malware is first-ever malware abusing Windows UI Automation
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Mitel patches critical MiVoice MX-ONE Auth bypass flaw

    Security / July 25, 2025

    Coyote malware is first-ever malware abusing Windows UI Automation

    Malware / July 24, 2025

    SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

    Security / July 24, 2025

    DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

    Security / July 24, 2025

    Stealth backdoor found in WordPress mu-Plugins folder

    Malware / July 24, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT