In the latest reminder of just how vulnerable Americans’ sensitive financial data can be, a server security lapse at Ascension, a data and analytics company for the financial industry, based in Fort Worth, Texas, left the unencrypted information – some 24 million documents – available for anyone who knew where to look. Ascension offers financial institutions the service of converting documents into files that can be read by computers, known as OCR.
The server, which was running an Elasticsearch database, contained more than a decade’s worth of data – from loan and mortgage agreements to repayment schedules and other financial and tax documents – which offer an intimate insight into a person’s life. The information wasn’t protected by a password.
The database was only exposed for two weeks – but that was long enough for independent security researcher Bob Diachenko to find it. And if he was able to locate it, who knows how many professional cyber criminals were also able to find it. The database wasn’t shut down until mid-January, after TechCrunch inquired about it.
TC found that almost all of the documents pertained to loans and mortgages offered by some of the largest lenders in America dating as far back as 2008 (including some that are now defunct). Some of the sensitive information exposed by the unforced error included social security numbers and W-2 forms, which are used by scammers to claim refunds.
From our review, it was clear that the documents pertain to loans and mortgages and other correspondence from several of the major financial and lending institutions dating as far back as 2008, if not longer, including CitiFinancial, a now-defunct lending finance arm of Citigroup, files from HSBC Life Insurance, Wells Fargo, CapitalOne and some U.S. federal departments, including the Department of Housing and Urban Development.
Some of the companies have long been defunct, after selling their mortgage divisions and assets to other companies.
Though not all files contained the highly sensitive and personal data points, we found: names, addresses, birth dates, Social Security numbers and bank and checking account numbers, as well as details of loan agreements that include sensitive financial information, such as why the person is requesting the loan.
Some of the documents also note if a person has filed for bankruptcy and tax documents, including annual W-2 tax forms, which are targets for scammers to claim false refunds.
Though most of the files were presented out of order, making it difficult for criminals to sift through the data, TC was able to verify the identifies of all of the people identified in the files using public records.
Citi, one of the lenders identified in the documents, said it has no continuing relationship with the third party responsible for the leak.
Although the documents originate from these financiers, one bank – Citi, which helped to secure the data – said it had no current relationship with the company.
“Citi recently became aware that a third party, with no connection to Citi, was storing certain mortgage origination and modification documents in an unsecure online environment,” said a Citi spokesperson. “These documents contained information about current or former Citi customers, as well as customers from other financial institutions. Citi notified law enforcement, initiated a thorough forensic investigation and worked quickly to ensure the information could no longer be publicly accessed.”
Citi confirmed that “third party is a vendor to a company that had purchased the loans and we have found no evidence that Citi’s systems were compromised.”
The bank added that it’s working to identify potentially affected customers.
Dozens of other companies are affected, including smaller regional banks and larger multinationals.
A Wells Fargo spokesperson said the data was obtained by Ascension from other entities that purchased Wells Fargo mortgages. When reached, neither HSBC nor CapitalOne had comment at the time of publication. A Housing and Urban Development spokesperson did not respond to a request for comment. The department is currently affected by the ongoing government shutdown. If anything changes, we’ll update.
The breach is only the latest involving an Elasticsearch database. But it’s also a healthy reminder that it doesn’t take a data breach on par with JPM’s precedent-setting banking data breach to leave your information vulnerable to thieves.