Data and analytics company, Ascension, has suffered a huge data breach that leaked more than 24m loan and mortgage documents from some of the most prominent bank in the US, according to a TechCrunch report.
As stated in the report, a server running an Elasticsearch database contained loans and mortgage agreements, repayment schedules, and other financial tax documents.
The server, which contained more than a decade’s worth of data, wasn’t password protected.
The database, which was left unprotected for two weeks, was discovered by Bob Diachenko, an independent security researcher.
The leaked data also contained highly sensitive personal information, including people’s names, addresses, social security numbers, banks and checking account numbers, as well as details of loan agreements.
The exposed files were from some of the largest financial and lending institutions, including the now-defunct CitiFinancial, HSBC Life Insurance, Wells Fargo, CapitalOne, and some US federal departments, including the Department of Housing and Urban Development.
It’s not yet clear how many people were affected by the breach, or if anyone accessed any of the files.
According to TechCrunch, the breach was traced back to Ascension. TechCrunch reported the exposed data appears to have come from files processed on Ascension’s OCR, a computer process that converts paper documents into electronic files.
Sandy Campbell, general counsel of Ascension’s parent company, announced the incident but said its systems were unaffected.
Server configuration error
On January 15th, this vendor learned of a server configuration error that may have led to the exposure of some mortgage-related documents,” he said in a statement.
“The vendor immediately shut down the server in question, and we are working with third-party forensics experts to investigate the situation. We are also in regular contact with law enforcement investigators and technology partners as this investigation proceeds.”
Reporters at TechCrunch were able to find out the vendor is New York-based company OpticsML. TechCrunch attempted to contact the company but were unsuccessful.
According to the article, their website is no longer operational and their phone number has also been disconnected.
Unprotected cloud storage and passwordless databases exposed online are becoming very common in today’s cloud computing environment, according to CEO Ilia Kolochenko of web security company, High-Tech-Bridge. He said large organisations continue to struggle to maintain “petabytes of their data under control and inventory.”
“Numerous suppliers and partners may urgently need their data for various legitimate business purposes, but fail to maintain appropriate internal security controls.
“Third-party risk management is not a silver bullet either, as quite frequently access to data is time-sensitive and many companies are prone to close their eyes to some of the imperfections of the third-party security mechanisms.
“A large-scale scan of the Internet will likely produce hundreds, if not thousands of similar databases with critical, sensitive and privileged data being hosted somewhere without any protection.”
Hefty penalty charges
Kolochenko said that organisations that fail to detect and respond to a data breach could face a potentially large financial penalty.
“From a legal point of view, the companies whose negligence leads to data exposure may be liable for considerable financial penalties and/or face individual and even class action lawsuits, the High-Tech-Bridge CEO said.
“Security researchers who access and process the data should also be careful, as under certain circumstances they may break the criminal law and also expose themselves to other legal ramifications,” he added.