Data and analytics company Ascension has suffered a data leak that exposed more than 24 million loan and mortgage documents from some of the country’s biggest banks.
A server running an Elasticsearch database contained sensitive data from as far back as 2008 that included loan and mortgage agreements, repayment schedules and other financial and tax documents. Unfortunately, the server wasn’t password protected, giving anyone access to the documents.
The database, which is believed to have been exposed for two weeks, was discovered by independent security researcher Bob Diachenko. Reporters were then able to help trace the leak back to Ascension, which offers a service that converts paper documents and notes into computer-readable files. It’s those documents that were exposed, Diachenko said.
Sandy Campbell, general counsel at Ascension’s parent company, Rocktop Partners, confirmed the incident, but said its systems were not impacted by the leak. He added the company will notify all affected customers, as well as report the incident to state regulators.
“On January 15, this vendor learned of a server configuration error that may have led to exposure of some mortgage-related documents,” he said in a statement. “The vendor immediately shut down the server in question, and we are working with third-party forensics experts to investigate the situation. We are also in regular contact with law enforcement investigators and technology partners as this investigation proceeds.”
Reporters were able to find out that the vendor mentioned is New York-based OpticsML. Its website is now offline and its phone number has been disconnected.
The leaked documents are from some of the biggest financial and lending institutions, including the now-defunct CitiFinancial, as well as HSBC Life Insurance, Wells Fargo, CapitalOne and some U.S. federal departments, including the Department of Housing and Urban Development. Some of the files included names, addresses, birth dates, Social Security numbers and bank and checking account numbers, as well as details of loan agreements.
“These documents contained highly sensitive data, such as Social Security numbers, names, phones, addresses, credit history and other details which are usually part of a mortgage or credit report,” Diachenko said. “This information would be a gold mine for cyber criminals who would have everything they need to steal identities, file false tax returns, get loans or credit cards.”