On January 15, OpticsML, a New York-based vendor immediately shut down their server after learning that a configuration error leaked millions of bank loan and mortgage documents, including highly sensitive financial data on customers who took loans from U.S. banks, according to a report in TechCrunch.
Sandy Campbell, General Counsel at Ascension’s parent company, Rocktop Partners, confirmed the incident to TechCrunch. TechCrunch’s report stated that running an Elasticsearch database, the server had more than a decade’s worth of data, including loan and mortgage agreements, repayment schedules and financial and tax documents. The statement mentioned that a portion of the loans have been submitted for analysis, but at the moment, the exact number of loans exposed cannot be confirmed.
“The vendor immediately shut down the server in question, and we are working with third-party forensics experts to investigate the situation. We are also in regular contact with law enforcement investigators and technology partners as this investigation proceeds,” Campbell said.
“While sophisticated attacks may grab headlines, these types of misconfigurations can definitely be as impactful to the bottom line, if not more," said Tim Erlin, VP, Product Management and Strategy, at cybersecurity firm Tripwire. He was reacting to the massive data breach wherein thousands of borrowers may have had their mortgage and loan information leaked in a recent server security lapse.
"This wasn’t a sophisticated attack by a well-funded nation-state adversary. It was a misconfiguration, a mistake. Organizations need to be able to detect and remediate misconfigurations, period. This is highly sensitive data that was exposed to anyone willing to look for it," he added.
According to Techcrunch, the server was not password protected and remained vulnerable for around two weeks before shutting down on January 15. The leak was traced back to Fort Worth-based Ascension, a data and analytics company for the financial industry. The company’s bank of converted paper-to-digital documents was what was exposed, according to Independent Security Researcher Bob Diachenko, who found the data initially. The documents affected include loans and mortgages and other correspondence from several of the major financial and lending institutions dating as far back as 2008, including Citigroup, HSBC Life Insurance, Wells Fargo, CapitalOne and some U.S. federal departments, including the Department of Housing and Urban Development.
“These documents contained highly sensitive data, such as Social Security numbers, names, phones, addresses, credit history and other details which are usually part of a mortgage or credit report. This information would be a gold mine for cybercriminals who would have everything they need to steal identities, file false tax returns, get loans or credit cards,” Diachenko told TechCrunch.