One more mine More than 24 million financial and banking documents, representing tens of thousands of loans and mortgages from some of the largest banks in the United States, have been found online after a server security failure.
The server, running an Elasticsearch database, contained more than a decade of data, containing loan and mortgage agreements, repayment schedules, and other highly sensitive financial and tax documents that reveal an intimate glimpse into the financial life of a person.
But it wasn’t password protected, allowing anyone to access and read the huge cache of documents.
The database is believed to have only been exposed for two weeks, but long enough for an independent security researcher Bob diachenko to find the data. At first glance, it was not immediately clear who owned the data. After inquiring with several banks whose customer information was found on the server, the database was shut down on January 15th.
With help from TechCrunch, the leak was traced to Ascension, a financial industry data and analytics company based in Fort Worth, TX. The company provides data analytics and portfolio valuations. Among its services, Ascension converts paper documents and handwritten notes into computer-readable files, called OCRs.
It was this bank of converted documents that was exposed, Diachenko said in his own article.
Sandy Campbell, general counsel for Ascension’s parent company, Rocktop Partners, which holds more than 46,000 loans worth $ 4.4 billion, confirmed the security incident to TechCrunch, but said its systems were not affected.
“On January 15, this provider learned that a server configuration error may have led to the exposure of certain mortgage-related documents,” he said in a statement. “The vendor immediately shut down the server in question and we are working with third-party forensic experts to investigate the situation. We are also in regular contact with law enforcement investigators and technology partners as this investigation progresses. “
An unspecified portion of the loans was shared with the entrepreneur for analysis, the statement added, but could not immediately confirm the number of loan documents on display.
TechCrunch has learned that the provider is New York-based OpticsML. Efforts to reach the company were unsuccessful. His website is offline and his phone number has been disconnected from the service.
A day later, Diachenko found a second storage server containing the original documents from the first exposed database. (You can read more about the second exhibit here.)
During a phone call, Campbell confirmed that the company will notify all affected customers and report the incident to state regulators under data breach notification laws.
From our review, it was clear that the documents related to loans and mortgages and other correspondence from several of the major financial and credit institutions dating as far back as 2008, if not later, including CitiFinancial, a branch of financing of loans now disappeared from Citigroup. , records of HSBC Life Insurance, Wells Fargo, CapitalOne and certain US federal departments, including the Department of Housing and Urban Development.
Some companies are long gone, having sold their divisions and mortgage assets to other companies.
While not all files contain the highly sensitive and personal data points, we did find: names, addresses, dates of birth, social security numbers, and bank and checking account numbers, as well as details of loan agreements that include sensitive financial information, such as why the person is applying for the loan.
Some of the documents also show whether a person has filed for bankruptcy and tax documents, including the annual W-2 tax forms, which are targets for crooks to claim bogus refunds.
But the database stored the documents in random order, and were not easy to follow or presented in an easy-to-read or formatted manner, making it difficult to track from document to document, said Diachenko.
We verified the authenticity of the data by verifying part of the names in the database with public records.
“These documents contained very sensitive data, such as social security numbers, names, phones, addresses, credit history and other details that are typically part of a mortgage or credit report,” he said. Diachenko told TechCrunch. “This information would be a gold mine for cybercriminals who have everything they need to steal identities, file false tax returns, obtain loans or obtain credit cards.”
Although the documents come from these financiers, one bank – Citi, which helped secure the data – said it currently has no relationship with the company.
“Citi recently learned that a third party, unrelated to Citi, was storing certain original and mortgage modification documents in an unsecured online environment,” a Citi spokesperson said. “These documents contained information about current and former clients of Citi, as well as clients of other financial institutions. Citi notified law enforcement, launched a thorough forensic investigation, and worked quickly to ensure the information was no longer publicly available. “
Citi confirmed that “the third party is a supplier to a company that purchased the loans and we found no evidence that Citi’s systems were compromised.”
The bank added that it was working to identify potentially affected customers.
Dozens of other companies are affected, including smaller regional banks and larger multinationals.
A Wells Fargo spokesperson said the data was obtained by Ascension from other entities that have purchased mortgages from Wells Fargo. HSBC said it was investigating data from its customers, including former customers, and confirmed it had “no supplier relationship with Ascension since 2010”. Once reached, CapitalOne did not comment at the time of posting. A spokesperson for Housing and Urban Development did not respond to a request for comment. The department is currently affected by the ongoing government shutdown. If anything changes, we’ll update.
It is the latest in a series of security vulnerabilities involving Elasticsearch databases.
A huge database with millions of real-time SMS data was found and secured last year, along with a popular massage service and, most recently, AIESEC, the largest nonprofit run by young people for work opportunities.
Updated with comments from HSBC and additional details regarding OpticsML, and again with the addition of the second exposure.
Do you have any advice? You can send advice securely via Signal and WhatsApp at +1 646-755-8849. You can also send PGP email with fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.