Massive mortgage and loan data leak worsens as original documents are also exposed – TechCrunch


Remember that massive mortgage and lending data leak we reported on Wednesday?

In case you missed it, millions of documents were discovered after an exposed Elasticsearch server was discovered without a password. The documents contained highly sensitive financial data on tens of thousands of people who took out loans or mortgages over the past decade from US financial institutions. The documents were converted using a technology called OCR from their original paper documents into a machine-readable format and stored in the database, but they were not easy to read. That said, it was possible to discern names, addresses, dates of birth, social security numbers, and other private financial data by anyone who knew where to find the server.

Independent security researcher Bob Diachenko and TechCrunch traced the source of the database leak to a Texas-based data and analytics firm, Ascension. When contacted, the company said one of its vendors, OpticsML, a New York-based document management startup, mishandled the data and was responsible for the data leak.

It turns out the data was once again exposed – only this time it was the original documents.

Diachenko found the second treasure trove of data in a separate exposed Amazon S3 storage server, which was also not password protected. Anyone who went to an easy-to-guess web address in their web browser could have accessed the storage server to view – and download – the files stored inside.

In a note to TechCrunch, Diachenko said he was “very surprised” to find the server in the first place even less open and accessible. Since Amazon storage servers are private by default and not accessible over the web, someone would have made the conscious decision to set their permissions to public.

The bucket contained 21 files containing 23,000 pages of assembled PDF documents, a size of approximately 1.3 gigabytes. Diachenko said portions of the data from the Elasticsearch database exposed on Wednesday matched data found in the Amazon S3 bucket, confirming that some or all of the data is the same as previously discovered. As in Wednesday’s report, the server contained documents from banks and financial institutions across the United States, including loans and mortgage agreements. We also found documents from the US Department of Housing and Urban Development, as well as W-2 tax forms, loan repayment schedules, and other sensitive financial information.

Two of the files – redacted – found on the exposed storage server (Image: TechCrunch)

Many files also contained names, addresses, phone numbers, social security numbers, etc.

When we tried to reach OpticsML on Wednesday, their website had gone offline and the phone number listed had been disconnected. After browsing an old cached version of the site, we found an email address.

TechCrunch emailed GM Sean Lanning, and the bucket was secured within the hour.

Lanning acknowledged our email but made no comment. Instead, OpticsML CTO John Brozena confirmed the breach in a separate email, but declined to answer several questions about the exposed data, including how long the bucket was open and why it was made public.

“We are working with the relevant authorities and a forensic team to analyze the full extent of the situation regarding the exposed Elasticsearch server,” Brozena said. “As part of this investigation, we have learned that 21 documents used for testing have been made identifiable by the previously discussed Elasticsearch leak. These documents were taken offline quickly.

He added that OpticsML “strives to notify all affected parties” when instructed to notify customers and state regulators, in accordance with state data breach notification laws.

But Diachenko said it was impossible to say how many times the bucket might have been consulted before it was discovered.

“I guess after such publicity like these guys, the first thing you would do is check if your cloud storage is down or at least password protected,” he said. declared.

Previous Loan program ends, hard-hit businesses hope for 2nd chance – WAVY.com
Next Delhi police register case against Niira Radia for alleged loan fraud