Ascension’s data leak has gotten worse, with original loan and mortgage documents exposed again online.
Earlier this week, it was revealed that Ascension had suffered a data leak that exposed more than 24 million loan and mortgage documents from some of the country’s biggest banks.
The initial leak was discovered by independent security researcher Bob Diachenko, who then found a second round of data in a separate exposed Amazon S3 storage server, which was not password protected.
In a note to reporters, Diachenko said he was “very surprised” to find the server, especially since Amazon storage servers are set to private by default, so someone had to purposely make its permissions public.
The data in the bucket matched portions of data found in the initial leak, which included documents from the now-defunct CitiFinancial, as well as HSBC Life Insurance, Wells Fargo, CapitalOne and some U.S. federal departments, including the Department of Housing and Urban Development. Some of the files included names, addresses, birth dates, Social Security numbers and bank and checking account numbers, as well as details of loan agreements.
Sandy Campbell, general counsel at Ascension’s parent company, Rocktop Partners, confirmed that a vendor, later identified as New York-based OpticsML, discovered the leak, but Ascension’s systems were not impacted by it.
OpticsML chief technology officer John Brozena confirmed the second breach via email but declined to reveal how long the bucket was open and why it was set to public.
“We are working with the appropriate authorities and a forensic team to analyze the full extent of the situation regarding the exposed Elasticsearch server,” said Brozena. “As part of this investigation we learned that 21 documents used for testing were made identifiable by the previously discussed Elasticsearch leak. These documents were taken offline promptly.”
While he said OpticsML is “working to notify all affected parties,” Diachenko pointed out that there was no way of knowing how many times the bucket was accessed before it was discovered.
“I would assume that after such publicity like these guys had, first thing you would do is to check if your cloud storage is down or, at least, password-protected,” he said.