Brinztech Alert: CRITICAL: Egyptian Fintech Giant “Aman” Actively Breached; 115k KYC “Full Kits” (National ID, Face Pictures) Leaked, Attacker Claims Live Access

Dark Web News Analysis

The dark web news reports a catastrophic, active data breach and sale of the core user database from Aman Holding, a major Egyptian (EG) fintech, digital payments, and e-commerce provider. The threat actor is selling a database on a hacker forum.

Key details of this critical incident:

• Source: Aman (aman.eg), a major Egyptian financial services company.
• Data Content (KYC “Goldmine”):
  • National IDs (Egypt’s national identifier).
  • Face Pictures (Biometric data, used for KYC/identity verification).
  • A full user profile with 516 columns (e.g., PII, financials, transaction history, etc.).
• CRITICAL: Active Breach: The attacker claims “everyday new data includes.” This is the “smoking gun” that this is not a static backup dump. The attacker has active, persistent access to the live production database and is exfiltrating the data of new victims as they sign up.
• Volume: 115,000 lines (and growing daily).

Key Cybersecurity Insights

This is a national-level financial security crisis for Egypt, representing a “worst-case scenario” for a fintech company.

1. CRITICAL: Active, Ongoing Breach (The “Everyday New Data” Threat): This is the #1, time-sensitive threat. The company is not just breached; it is hemorrhaging data in real-time. The attacker is still inside the network (likely via a persistent backdoor or compromised admin/service credentials) and has full read access to the core database.
2. “ID Theft Goldmine” (National ID + Face Picture): This is the complete “full kit” for high-friction identity theft in Egypt. With a victim’s National ID and their matching face picture, an attacker can:
   • Pass KYC verification at other banks, fintechs, or crypto exchanges.
   • Take out fraudulent loans (a core Aman service).
   • Commit sophisticated financial fraud that bypasses standard security checks.
3. The “516 Columns” (Total Data Compromise): A database with 516 columns is not a marketing list. This is the master user table, a “flat file” containing every single piece of data Aman has ever collected on its users (e.g., PII, account status, transaction history, credit/installment data, etc.). The attacker has everything.
4. Catastrophic Regulatory Failure (Egypt – PDPL): This is a severe, multi-level violation of Egypt’s Personal Data Protection Law (PDPL).
   • The law mandates immediate notification to the Data Protection Centre (DPC).
   • The leak involves “sensitive” data (biometrics/face pictures and financial data), which carries the highest penalties.
   • The failure to prevent and detect an active, ongoing exfiltration of the core database will result in maximum fines and regulatory action.

Mitigation Strategies

This is a 5-alarm fire. The response must be immediate, decisive, and assume total, active network compromise.

1. For Aman (The Company):
   • IMMEDIATE: Activate “Assume Breach” IR Plan: Engage a major, external DFIR (Digital Forensics) firm NOW.
   • CRITICAL: Hunt & Eject the Attacker: The #1 priority is to find the attacker’s persistence mechanism (backdoor, compromised credentials, vulnerable API) and cut off their access to the live database immediately.
   • CRITICAL: Invalidate ALL Credentials: Immediately rotate ALL credentials across the entire organization (database passwords, API keys, admin accounts, service accounts, etc.).
   • MANDATORY: Regulatory & Public Notification: Immediately report the breach to the Egyptian Data Protection Centre (DPC) and the Central Bank of Egypt (CBE).
   • MANDATORY: Notify All Customers: Immediately notify all 115,000+ affected users (and all new signups) that their National ID and Face Picture have been stolen and that they are at extreme risk of identity theft.
2. For Affected Aman Customers:
   • CRITICAL: Proactive Fraud Alert: You must assume your identity is stolen. Immediately contact your bank(s) and other financial accounts to place a high-alert fraud warning on your name and National ID.
   • Monitor All Accounts: Proactively monitor all bank accounts, credit, and financial services for any suspicious activity or loan applications you did not make.
   • Phishing Vigilance: Be extremely skeptical of any unsolicited calls, emails, or messages. Scammers will use your real National ID and other personal details to “prove” they are legitimate.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? This analysis is based on threat intelligence from a dark web forum. A breach of a live financial database containing national KYC data is a critical-severity event. Brinztech provides cybersecurity services worldwide and does not endorse or guarantee the accuracy of external claims. For any inquiries or to report this post, please email: contact@brinztech.com