A massive database containing over 24 million banking and financial documents from some of the largest US banks was recently leaked online, available without a password for possibly two weeks. The database contained over 10 years of loan and mortgage agreements, tax documents, social security numbers, bank account numbers, names, addresses and more.
The server security lapse was first reported by Zack Whittaker at TechCrunch. According to independent researcher Bob Diachenko,
“These documents contained highly sensitive data. This information would be a gold mine for cyber criminals who would have everything they need to steal identities, file false tax returns, get loans or credit cards.”
Diachenko found the data in an unprotected Elasticsearch cluster. With help from TechCrunch, the leak was traced back to data and analytics company Ascension, based in Ft. Worth, Texas. One of Ascension’s services include converting paper documents and handwritten notes into computer files, also known as OCR. The OCR files were compromised during the leak.
— Bob Diachenko (@MayhemDayOne) January 23, 2019
Sandy Campbell, general counsel at Rocktop Partners, the parent company of Ascension, says,
“On January 15, this vendor learned of a server configuration error that may have led to exposure of some mortgage-related documents. The vendor immediately shut down the server in question, and we are working with third-party forensics experts to investigate the situation.”
The vendor was found to be New York-based company OpticsML, whose phone number and website have recently gone offline.
Fintech and data storage companies are working to develop decentralized database solutions to avoid similar leaks. By distributing sensitive data, blockchain-based platforms are cryptographically secured and are designed to eliminate single points of failure, password lapses and internet exposure. Blockchain systems are also designed to regulate and control who has access to data, and to make such access transparent without having to rely on a report from one party or an intermediary.
TechCrunch reports that CitiFinancial, a now-defunct branch of Citigroup, was one of several large financial institutions affected by the leak which also compromised personal data and sensitive files from HSBC, Wells Fargo, CapitalOne as well as the US Department of Housing and Urban Development.
A Citi spokesperson says,
“Citi recently became aware that a third party, with no connection to Citi, was storing certain mortgage origination and modification documents in an unsecure online environment. These documents contained information about current or former Citi customers, as well as customers from other financial institutions. Citi notified law enforcement, initiated a thorough forensic investigation and worked quickly to ensure the information could no longer be publicly accessed.”
Speaking to SC Media, Colin Bastable, CEO of Lucy Security, says big financial institutions offload work to companies like Ascension without securing the data that’s involved.
“When US lenders offload our mortgages and loans to third parties, they offload the data too, and wash their hands of all responsibility. In its drive for profitability, the US financial industry has outsourced many services to third party service providers, and at the heart of this fragmented industry is consumer data.”
Elasticsearch, which is a database for storing, retrieving and managing documents. While companies typically install Elasticsearch to improve their web application data indexing and search capabilities, they can also inadvertently expose their internal servers, loaded with troves of documents containing personal information, to the internet.
The recent breach is one of four discovered this month on Elasticsearch. Researchers also discovered the following leaks.
- Millions of calls and text messages from Voipo
- Four million intern applications from the youth group AIESEC
- 108 million gambling records from online casinos
Last November Diachenko also discovered another Elasticsearch leak.
In a blog post, Diachenko wrote,
“On Nov 29th I have identified an unprotected Elasticsearch cluster, available for public access, via Shodan engine. It took me some time before I analyzed the data and noted that almost all payment information (credit cards details) was related to Bancolombia, so I decided it would be the quickest possible solution to prevent this data from being stolen and report the incident directly to bank authorities.
Shortly after I contacted Bancolombia, instance has been secured (Nov. 30) and on the next day I was contacted by a representative of a company that managed the data, Waumovil, who thanked me for the heads up and said that ‘unfortunately we had some open ports that I was not aware.’”
You can check out Diachenko’s full blog post on the Bancolombia data leak here.