Researcher: Internal Data Belonging to World’s Largest Lender Exposed on AWS
Navy Federal, the world’s largest credit union, left hundreds of gigabytes of internal backup files exposed on Amazon’s cloud storage service, found cybersecurity researcher Jeremiah Fowler.
See Also: Post-Quantum Cryptography – A Fundamental Pillar in the Future of Cybersecurity [ES]
Fowler discovered an unencrypted and publicly accessible Amazon S3 bucket containing 378 gigabytes of internal backup files in May that contained 14 files in .gz, .sql and .twbx formats. The files belonged to Navy Federal Credit Union, which serves U.S. military members, veterans and their families.
The exposed backup included user names, email addresses, hashed passwords, keys and what appeared to be internal system data such as business logic, codes, optimization processes and financial performance metrics. Fowler said he did not see any member data in plain text. The internal records could provide attackers with a roadmap for phishing or social engineering attempts, or insights into the credit union’s network and operations.
“Anytime a financial institution potentially exposes how their systems work, the individuals who access it and the type of data they are collecting, it poses serious risks,” Fowler told Information Security Media Group.
Navy Federal is headquartered in Vienna, VA, and is a member-owned, not-for-profit financial cooperative. As of December 2024, it managed approximately $180.8 billion in assets. Fowler reported the exposure and access to the cloud files within hours became restricted. The credit union did not respond to Fowler. In an emailed statement to ISMG, a spokesperson said that “at this time, we are unable to share any information regarding this matter.”
The most recent SQL dump in the exposed bucket was dated May 29. Fowler said there was no information available on how long the files may have been publicly accessible. He noted that earlier this year, reports emerged of ransomware campaigns abusing Amazon Web Services S3 bucket functionality by exploiting versioning and encryption features, underscoring the risks of misconfigured cloud storage.
Although it is unclear whether the exposed system was managed directly by Navy Federal or a contractor, Fowler said the bucket contained identifiers such as “NavyXXX_Backup” and email addresses tied to the credit union. “I was able to match unique or uncommon names inside the records to individuals working at Navy Federal via LinkedIn,” he said.
Among the exposed items were what appeared to be hashed or encrypted credentials and data strings marked as “keys.” Fowler said he did not attempt to decrypt or use them. “It is hypothetically possible that these could be exploited to gain unauthorized access,” he said.
Fowler’s report said the exposed backup included system logs, operational metadata and internal details such as optimization processes, rate structures and product tiers. It also contained Tableau workbook documents that connected to MySQL tables, with server connection information and calculation formulas linked to financial performance and loan portfolio metrics. Some of the XML-based files were labeled as production, revealing database structures, field names and the environments in which they operated. Other records showed password history tables with hashed strings and timestamps, as well as entries marked as keys and foreign keys mapping the relationships between data.
He said that even without customer information in plain text, these types of internal files could provide a blueprint for how Navy Federal’s systems function. Attackers could potentially use such insights to identify weaknesses or to craft targeted social engineering attempts against employees. Fowler also warned that exposed backups can reveal the third-party software or services an organization relies on, which may expand the risk of supply chain attacks. Gartner has projected that by 2025 nearly half of organizations worldwide will experience some form of supply chain compromise, with annual costs expected to reach $138 billion by 2031.