24 Million Mortgage, Loan Documents Exposed Through an Unprotected Server

A 24 million financial and banking documents bounty, representative of thousands of loans and mortgages from some major U.S., financial institutions were discovered online, unprotected, after a server security lapse.

TechCrunch reported the server, operating an Elasticsearch database, had more than 10 years of accumulated data including loan and mortgage contracts, reimbursement schedules, tax documents and other sensitive personal financial info. “It’s believed that the database was only exposed for two weeks — but long enough for independent security researcher Bob Diachenko to find the data (on January 10). At first glance, it wasn’t immediately known who owned the data. After we inquired with several banks whose customers information was found on the server, the database was shut down on January 15.” Diachenko discovered the data freely accessible via the internet and not even protected by a password.

In total, the database contained more than 24 million records totaling some 51 GB of data and 23,000 pages of PDF documents. Many, but not all, of the documents contained full names, addresses, Social Security numbers, credit history, loan amounts, repayment schedules, and other details typically related to mortgages or other loans.

With help from TechCrunch, the breach was traced back to Fort Worth, Texas-based Ascension, which offers data analysis and portfolio valuations as well as the conversion of paper documents and handwritten notes into OCR files, which were the ones exposed.

Diachenko also found a second storage server in a separate exposed Amazon S3 storage server containing the original documents from the first exposed database.

Experts reacted to news.

Jake Olcott, a vice president at BitSight, said his company would describe this as a fourth party risk issue for major financial institutions. “What happened here is that the financial institutions sold loans to third party organizations, who then used Ascension Analytics to perform analysis on the loans. Ascension Analytics is the organization that experienced the security issue in this case.” He added, while a company like Citi arguably did nothing wrong, this is an example of a financial organization currently experiencing some reputational repercussions due to a fourth party cyberissue.

“Armed with exposed Social Security numbers, names, addresses, credit history, phone numbers, W-2 forms and other sensitive information, a malicious actor can level significant damage against individuals affected by this breach,” Ruchika Mishra, director of products and solutions, Balbix, said. “Actions could range from identity theft, filing false tax returns, applying for loans or credit cards in a victim’s name—the list goes on.”

Mishra suggested, “Organizations are tasked with the hefty burden of continuously monitoring all assets and more than 200 potential attack vectors to detect vulnerabilities.” He added, through this process, companies are likely to detect thousands of vulnerabilities—far too many to tackle all at once. The key to preventing a breach as devastating as Ascension’s is to leverage security tools that employ artificial intelligence and machine learning that analyze the tens of thousands of data signals to prioritize which vulnerabilities to fix first, based on risk and business criticality.

Colin Bastable, CEO, Lucy Security, said, “When U.S. lenders offload our mortgages and loans to third parties, they offload the data too, and wash their hands of all responsibility. In its drive for profitability, the U.S. financial industry has outsourced many services to third-party service providers, and at the heart of this fragmented industry is consumer data.”

Bastable remarked, “In this case, the data has been re–digitized from paper records and mismanaged in a now notorious database known for great data analysis but lousy security. That the database admins forgot to secure the data with a password should shock us, but it doesn’t.”

George Wrenn, CEO, CyberSaint Security, said, “This incident is a reminder that it is critical that we set high expectations for security and data protection when dealing with sensitive information. Organizations need to understand their gaps, and identify areas to build on their security posture at all times. This is especially true in cases where sensitive and personal information could be exposed.”

Pravin Kothari, CEO of cloud security vendor CipherCloud, noted “This data exposure of 24 million records was totally avoidable. This was not the work of an active hacker or anything like that. Based upon what has been reported so far it seems totally like an internal administrative error.”

Kothari suggested in the final analysis, cloud providers secure their infrastructure, but it is up to organizations to secure data on their platform. “You are responsible. There are tools to help you manage this and protect the data, but you must use them. One solution is to encrypt the data in the cloud. Encrypted data is unintelligible to cyber attackers and thus is not considered breached.”