
Another concern would be the exposure of partial credit card numbers. In this case, I saw the first 3 and last 4 numbers of credit cards in several .Json files. When criminals have partial card numbers, they may be able to cross-reference previous breaches to find the missing numbers, or combine them with other leaked financial details and attempt targeted phishing scams to have the individual provide the missing numbers. I am not implying that Vroom’s customers or users are at imminent risk of being targeted for any type of fraudulent activities. I only highlight the potential real-world risks when this type of data is exposed. According to research conducted by Sophos in 2024, the financial industry is a prime target for cybercriminals, with 65% of organizations falling victim to ransomware attacks. As financial technology expands and fundamentally changes how consumers manage money or obtain financing, cybersecurity must also evolve to meet the risks and threats the industry faces today and tomorrow. I would highly recommend that Fintech companies implement additional security measures in both the applications or dashboards customers use, but also the internal storage networks where sensitive documents are stowed. One of the best ways to protect these records would be to implement end-to-end encryption of sensitive data. This includes applying access controls (to know who can view or download data from an organization) and ensuring that multi-factor authentication (MFA) is required for both customers, users, and employees. Security audits and penetration testing are also an important tool to identify vulnerabilities or data exposures and should never be overlooked. Moreover, I recommend that Fintech companies use data minimization policies — collect and store active data while deleting outdated records that are no longer in use. On balance, it is potentially risky to hold large amounts of sensitive records if they become a liability. Finally, active monitoring and anomaly detection systems can identify suspicious activity and respond to potential breaches before they become a critical incident. It is also important to notify users when their personal information has been exposed so that they are aware of any potential risks. Customers who may have had their PII exposed in a data breach should monitor their credit profiles, financial accounts, and identities for potential misuse or unauthorized activity. In the unfortunate event that customers do identify suspicious transactions or misuse, they should report them immediately to the authorities and their financial institution. The most important thing is to remain vigilant — understand the risks and know what to look for to catch any unauthorized activity as early as possible. In the past, scammers and criminals have used information from data breaches to launch phishing attempts (via email or phone call), impersonating financial institutions or known service providers in a quest to obtain additional personal data. I always recommend verifying the authenticity of any unexpected requests for personal or financial information — only use official communication channels to transmit sensitive information. It is also a good idea to update all passwords and enable MFA as an extra layer of security on any accounts that may have been compromised. If an individual suspects their identity has been stolen, they should contact the Australian Cyber Security Centre (ACSC) and consider reporting it to Scamwatch to help prevent further fraud. I imply no wrongdoing by Vroom, Drive IQ, YouX, or any contractors, affiliates, or related entities. I do not claim that internal, customer, or user data was ever at imminent risk. The hypothetical data-risk scenarios I have presented in this report are strictly and exclusively for educational purposes and do not reflect, suggest, or imply any actual compromise of data integrity. It should not be construed as a reflection of or commentary on any organization’s specific practices, systems, or security measures. As an ethical security researcher, I do not download the data I discover. I only take a limited number of screenshots as necessary and solely for verification purposes. I do not conduct any activities beyond identifying the security vulnerability and notifying the relevant parties. I disclaim any and all liability for any and all actions that may be taken as a result of this disclosure. I publish my findings to raise awareness of issues of data security and privacy. My aim is to encourage organizations to proactively safeguard sensitive information against unauthorized access.