Maria Montero

Millions of bank loans and mortgage documents have leaked into …

A treasure too many More than 24 million financial and banking documents, representing tens of thousands of loans and mortgages from some of the largest banks in the US, have been found online after a server security lapse.

The server, which runs an Elasticsearch database, had more than a decade of data, containing loan and mortgage agreements, payment schedules, and other highly sensitive financial and tax documents that reveal an intimate view of the financial life of a company. person.

But it was not password protected, allowing anyone to access and read the massive cache of documents.

The database is believed to have only been exposed for two weeks, but long enough for an independent security researcher Bob Diachenko to find the data. At first glance, it was not immediately known who owned the data. After consulting with several banks whose customer information was found on the server, the database was closed on January 15.

With the help of TechCrunch, the leak dates back to Ascension, a data and analytics company for the financial industry, based in Fort Worth, Texas. The company provides data analysis and portfolio valuations. Among its services, Ascension converts paper documents and handwritten notes into computer-readable files, known as OCR.

It is that bank of converted documents that was exposed, Diachenko said in his own review.

Sandy Campbell, general counsel of Ascension’s parent company, Rocktop Partners, which owns more than 46,000 loans worth $ 4.4 billion, confirmed the security incident to TechCrunch.

“On January 15, this provider learned of a server configuration error that may have led to the exposure of some mortgage-related documents,” it said in a statement. “The vendor immediately shut down the server in question and we are working with outside forensic experts to investigate the situation. We are also in regular contact with law enforcement investigators and technology partners as this investigation progresses.”

An unspecified portion of the loans was shared with the contractor for analysis, the statement added, but could not immediately confirm how many loan documents were exposed.

In a phone call, Campbell confirmed that the company will inform all affected customers and report the incident to state regulators under data breach notification laws.

From our review, it was clear that the documents refer to loans and mortgages and other correspondence from several of the major financial and lending institutions dating back to 2008, if not longer, such as CitiFinancial, a now-defunct loan financing arm of Citigroup. , files from HSBC Life Insurance, Wells Fargo, CapitalOne, and some US federal departments, including the Department of Housing and Urban Development.

Some of the companies have been inactive for a long time, after selling their mortgage and asset divisions to other companies.

While not all files contained highly confidential and personal data points, we found: names, addresses, dates of birth, Social Security numbers, and checking and bank account numbers, as well as details of loan agreements that include financial information confidential, such as why the person is applying for the loan.

Some of the documents also indicate whether a person has filed a bankruptcy and tax return, including annual W-2 tax forms, which are targets for scammers to claim false returns.

A randomly selected and redacted record reveals a loan agreement for an individual, including personal information such as loan amount, name, address, and Social Security number (Image: TechCrunch)