A treasure too many More than 24 million financial and banking documents, representing tens of thousands of loans and mortgages from some of the largest banks in the US, have been found online after a server security lapse.
The server, which runs an Elasticsearch database, had more than a decade of data, containing loan and mortgage agreements, payment schedules, and other highly sensitive financial and tax documents that reveal an intimate view of the financial life of a company. person.
But it was not password protected, allowing anyone to access and read the massive cache of documents.
The database is believed to have only been exposed for two weeks, but long enough for an independent security researcher Bob Diachenko to find the data. At first glance, it was not immediately known who owned the data. After consulting with several banks whose customer information was found on the server, the database was closed on January 15.
With the help of TechCrunch, the leak dates back to Ascension, a data and analytics company for the financial industry, based in Fort Worth, Texas. The company provides data analysis and portfolio valuations. Among its services, Ascension converts paper documents and handwritten notes into computer-readable files, known as OCR.
It is that bank of converted documents that was exposed, Diachenko said in his own review.
Sandy Campbell, general counsel of Ascension’s parent company, Rocktop Partners, which owns more than 46,000 loans worth $ 4.4 billion, confirmed the security incident to TechCrunch.
“On January 15, this provider learned of a server configuration error that may have led to the exposure of some mortgage-related documents,” it said in a statement. “The vendor immediately shut down the server in question and we are working with outside forensic experts to investigate the situation. We are also in regular contact with law enforcement investigators and technology partners as this investigation progresses.”
An unspecified portion of the loans was shared with the contractor for analysis, the statement added, but could not immediately confirm how many loan documents were exposed.
In a phone call, Campbell confirmed that the company will inform all affected customers and report the incident to state regulators under data breach notification laws.
From our review, it was clear that the documents refer to loans and mortgages and other correspondence from several of the major financial and lending institutions dating back to 2008, if not longer, such as CitiFinancial, a now-defunct loan financing arm of Citigroup. , files from HSBC Life Insurance, Wells Fargo, CapitalOne, and some US federal departments, including the Department of Housing and Urban Development.
Some of the companies have been inactive for a long time, after selling their mortgage and asset divisions to other companies.
While not all files contained highly confidential and personal data points, we found: names, addresses, dates of birth, Social Security numbers, and checking and bank account numbers, as well as details of loan agreements that include financial information confidential, such as why the person is applying for the loan.
Some of the documents also indicate whether a person has filed a bankruptcy and tax return, including annual W-2 tax forms, which are targets for scammers to claim false returns.
But the database stored the documents in a random order, and it wasn’t easy to track them or present them in an easy-to-read or format way, making it difficult to track from one document to another, Diachenko said.
We verify the authenticity of the data by verifying a part of the names in the database with public records.
“These documents contained highly confidential information such as social security numbers, names, phone numbers, addresses, credit history, and other details that are generally part of a mortgage or credit report,” Diachenko told TechCrunch. “This information would be a gold mine for cybercriminals who would have everything they need to steal identities, file false tax returns, obtain loans or credit cards.”
Although the documents come from these financiers, one bank, Citi, which helped secure the data, said it had no current relationship with the company.
“Recently, Citi became aware that a third party, with no connection to Citi, was storing certain mortgage origination and modification documents in an insecure online environment,” said a Citi spokesperson. “These documents contained information about current or former Citi clients, as well as clients of other financial institutions. Citi notified law enforcement authorities, initiated a thorough forensic investigation, and worked quickly to ensure that the information was no longer accessible to the public. “
Citi confirmed that “the third party is a supplier to a company that purchased the loans and we have found no evidence that Citi’s systems were compromised.”
The bank added that it is working to identify potentially affected clients.
Dozens of other companies are affected, including the smallest regional banks and the largest multinationals.
A Wells Fargo spokesperson said Ascension obtained the data from other entities that purchased Wells Fargo mortgages. When it was reached, neither HSBC nor CapitalOne had comment at time of publication. A spokesperson for Housing and Urban Development did not respond to a request for comment. The department is currently affected by the ongoing government shutdown. If something changes, we will update it.
It is the latest in a series of security flaws related to Elasticsearch databases.
Last year a massive database was found and secured, filtering millions of data from SMS text messages in real time, as well as a popular massage service and, more recently, AIESEC, the largest non-profit organization run by young people.
Do you have a tip? You can send tips securely via Signal and WhatsApp at +1 646-755–8849. You can also send PGP email with fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.