Millions of Mortgage and Loan Documents Leaked

Millions of sensitive financial documents were exposed by unprotected servers from the biggest banks in the U.S. These documents went back a decade and include highly sensitive information that revealed financials information of customers.

The server contained documents regarding loan and mortgage agreements, repayment schedules, and tax documents. Customer names, addresses, date of birth, social security numbers, and other private data were also exposed. Many of the files came from banking institutions like, CitiFinancial, HSBC Life Insurance, Wells Fargo, CapitalOne, and some U.S federal departments.

Bob Diachenko, an independent security researcher, has commented saying:

 “This information would be a gold mine for cyber criminals who would have everything they need to steal identities, file false tax returns, get loans or credit cards.”

A Citi spokesperson has stated:

“Citi recently became aware that a third party, with no connection to Citi, was storing certain mortgage origination and modification documents in an unsecure online environment,

The server, a Elasticsearch database, leaked the documents for two weeks. The server unprotected without an password; essentially allowing anyone to access the information.

Diachenko was the first to find the vulnerable database. He informed TechCrunch, who then traced the database to Ascension, a data and analytics firm. After reaching to the firm they confirmed the security incident to TechCrunch. They further stated that a vendor they worked with had experienced a server error that lead to the leak.

“On January 15, this vendor learned of a server configuration error that may have led to exposure of some mortgage-related documents. The vendor immediately shut down the server in question, and we are working with third-party forensics experts to investigate the situation. We are also in regular contact with law enforcement investigators and technology partners as this investigation proceeds.”

Unfortunately, TechCrunch was unable to reach out to the vendor, OpticsML.

Diachenko found another server leaking data a few days later. This time an Amazon S3 storage server. The server was not password protected either. Diachenko mentioned that Amazon storage servers should be private by default and it seems like “someone would have made a conscious decision to set its permissions to public.”

This time the server contained 21 files of PDF documents that were related to banking and financial institutions. This server was also managed by OpticsML. When TechCrunch tried to reach out to them their website was no longer available, and the listed phone no longer worked. However, they did find an email address linked to the chief executive, Sean Lanning. The server was secured within an hour of the email.

Unfortunately, there is no way of knowing how many people may have accessed the servers before the vulnerabilities were discovered.

If you believe you organization was victim to an attack, contact LIFARS today