- A database that contains whole behavioral and financial profiles of people and businesses were left unsecured online
- Researchers claim it belongs to a Danish fintech company
- The company denies having something to do with the archive
A huge database containing millions of very sensitive information about Swedish citizens sat on the open internet, available to anyone who knew where to see.
Cygenerws Researchers recently revealed a wrongly configured elastic search server, as they described as a “gold mining of business information data” containing hundreds of millions of highly detailed items belonging to Swedish individuals and organizations.
It was attributed to a business information specialist, but the company refused to have something to do with the archive.
Who owns the data?
In total, the data created a detailed financial and behavioral profile for both citizens and organizations in Sweden.
Generally, it contained more than 100 million data registrations generated between 2019 and 2024, and spread over 25 indices.
This included people’s names (including history of previous names), Swedish personal identity numbers, birth dates, gender, address history (both locally and abroad), civilian status, information about deceased persons, foreign addresses (for emigrants), debt registers, payment notes, bankruptcy history, property rights indicators, income tax, activity and events and events, financial data and behavioral data.
Cygenerws‘Researchers attributed the server to Risk, a Danish fintech company that offers real-time credit rating, risk surveillance and financial risk intelligence for businesses.
They claim the use of internal “DWH*” marks and product -oriented index names “matched the conventions of known risk products”.
However, the researchers also claim that the database was probably driven by a downstream third party, after risk “legitimately provided the” data under a commercial license, “only to be wrong and left exposed”.
The researchers reached the risk and the database was locked the following day.
Meanwhile, the company answered and said it had nothing to do with the archives:
“Our preliminary study shows that the data mentioned in the reported leak contains information that we do not own, store or have access to through our business operations. This suggests that our systems are not the source of this particular data violation,” the company’s spokesman told the researchers.
