Massive Mortgage and Loan Data Leak Gets Worse as Original Documents Also Exposed

Mortgage

Millions of documents were found leaking after an exposed Elasticsearch server was found without a password.

Highly sensitive financial data on tens of thousands of individuals who took out loans or mortgages over the past decade with U.S. financial institutions were converted using a technology called OCR to a computer readable format and stored in the database. That was leaked after an exposed Elasticsearch server was found without a password, and thus, someone who knew where to find the server has got hold of names, addresses, birth dates, Social Security numbers and other private financial data of these people.

Independent security researcher Bob Diachenko and digital platform TechCrunch looked for the trail and traced the source of the leaking database to a Texas-based data and analytics company, Ascension. However, when they asked the company, they were told that one of its vendors, OpticsML, a New York-based document management startup, had mishandled the data. This was on Wednesday last.

Now, that data has been exposed again and this time it was the original documents.

Security researcher Bob Diachenko found the second trove of data in a separate exposed Amazon S3 storage server. This one too was not protected with a password, and hence easily accessible to anyone with knowledge of the web address in their web browser so they could see and download the original files stored inside. The bucket reportedly contained 21 files containing 23,000 pages of PDF documents stitched together — or about 1.3 gigabytes in size.  The server contained documents from banks and financial institutions across the U.S., including loans and mortgage agreements, and even from the U.S. Department of Housing and Urban Development, as well as W-2 tax forms, loan repayment schedules, and other sensitive financial information. Many of the files also contained names, addresses, phone numbers, Social Security numbers and more.

The data has now been secured, but the risk is, as Diachenko said, the bucket might have been accessed many times the before it was discovered.