A massive online data leak reportedly involving more than 24 million mortgage and bank loan documents exposed sensitive consumer information from several major U.S. lenders, according to a tech news website.
The security lapse was first reported by Zack Whittaker of TechCrunch Wednesday afternoon. An unprotected online server that didn’t have a password is the cause of the leak, leaving millions of pages of sensitive documents accessible to anyone online, TechCrunch reported.
The exposed data included mortgage and loan mortgage agreements, amortization schedules and other sensitive financial documents that revealed borrowers’ names, addresses, phone numbers, Social Security numbers, and birth dates, among other data, according to the TechCrunch report.
Additionally, TechCrunch found that the data came from loans and mortgages from back to 2008 (or earlier), and included files from CitiFinancial (formerly a lending finance division of Citigroup), HSBC Life Insurance, Wells Fargo, CapitalOne and some federal agencies, including the U.S. Department of Housing and Urban Development.
Although the information was online for just two weeks, independent infosecurity researcher Bob Diachenko was able to find the stockpile. In a blog post about his discovery, Diachenko writes that he found the exposed data on Jan. 10 in random parts (not in single reports), and immediately alerted one of the lenders to investigate. By Jan. 15, the database had been secured, Diachenko writes.
“These documents contained highly sensitive data, such as Social Security numbers, names, phones, addresses, credit history, and other details which are usually part of a mortgage or credit report,” Diachenko writes on his blog. “This information would be a gold mine for cyber criminals who would have everything they need to steal identities, file false tax returns, get loans or credit cards.”
TechCrunch assisted Diachenko in tracing the security lapse to Ascension, a data and analytics firm for the mortgage servicing industry based in Fort Worth, Texas. In addition to custom data analysis, Ascension converts paper documents into electronic files, which is where Diachenko said the leak originated.
From the TechCrunch article:
“Sandy Campbell, general counsel at Ascension’s parent company, Rocktop Partners, which owns more than 46,000 loans worth $4.4 billion, confirmed the security incident to TechCrunch, but said its systems were unaffected.
“On January 15, this vendor learned of a server configuration error that may have led to exposure of some mortgage-related documents,” he said in a statement. “The vendor immediately shut down the server in question, and we are working with third-party forensics experts to investigate the situation. We are also in regular contact with law enforcement investigators and technology partners as this investigation proceeds.”
An unspecified portion of the loans were shared with the contractor for analysis, the statement added, but couldn’t immediately confirm how many loan documents were exposed.”