Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Privacy Security Cloud

Millions of Bank Loan and Mortgage Documents Have Leaked Online (techcrunch.com) 43

An anonymous reader quotes a report from TechCrunch: [M]illions of documents were found leaking after an exposed Elasticsearch server was found without a password. The documents contained highly sensitive financial data on tens of thousands of individuals who took out loans or mortgages over the past decade with U.S. financial institutions. The documents were converted using a technology called OCR from their original paper documents to a computer readable format and stored in the database, but they weren't easy to read. That said, it was possible to discern names, addresses, birth dates, Social Security numbers and other private financial data by anyone who knew where to find the server. Independent security researcher Bob Diachenko and TechCrunch traced the source of the leaking database to a Texas-based data and analytics company, Ascension. When reached, the company said that one of its vendors, OpticsML, a New York-based document management startup, had mishandled the data and was to blame for the data leak.

It turns out that data was exposed again -- but this time, it was the original documents. Diachenko found the second trove of data in a separate exposed Amazon S3 storage server, which too was not protected with a password. Anyone who went to an easy-to-guess web address in their web browser could have accessed the storage server to see -- and download -- the files stored inside. The bucket contained 21 files containing 23,000 pages of PDF documents stitched together -- or about 1.3 gigabytes in size. Diachenko said that portions of the data in the exposed Elasticsearch database on Wednesday matched data found in the Amazon S3 bucket, confirming that some or all of the data is the same as what was previously discovered. Like in Wednesday's report, the server contained documents from banks and financial institutions across the U.S., including loans and mortgage agreements. We also found documents from the U.S. Department of Housing and Urban Development, as well as W-2 tax forms, loan repayment schedules and other sensitive financial information. Many of the files also contained names, addresses, phone numbers, Social Security numbers and more.

This discussion has been archived. No new comments can be posted.

Millions of Bank Loan and Mortgage Documents Have Leaked Online

Comments Filter:
  • It's duplicate "news" from last Monday.
    I guess you were ill all week.

  • mishandled the data and was to blame for the data leak

    Stop passing the buck, if you paid them then your company shares the blame. Now when will companies like this start losing their corporate charter? This is getting ridiculous.

    • by zlives ( 2009072 )

      when people realize security is not convenient and any attempt to make it convenient, undermines it.
      so, never.

    • Stop passing the buck, if you paid them then your company shares the blame.

      Many individuals paid points on their loan. So by your logic, it is their own fault their data was leaked, since they paid for it.

      • Not even close to the same thing. I work at a small under 1000 employee financial institution, and we perform multiple audits per year on our vendors and have dozens of audits performed on us each year. No breach of our clients' data would ever just be our vendor's fault. We could certainly share blame, and sue our vendor for damages, but the lose of trust from our clients would be by far the worst outcome.

  • Who else is getting inline spam links that open up new windows when clicking legit links within Slashdot? (e.g. 3 replies below your threshold). Fake Google sites, "slot machine" sites, etc. instead of the /. content.

    I'm seeing it on Android Chrome (no ad blocker). If this is the only thing keeping the site afloat I want a copy of my data before it disappears forever.

  • A startup that doesn't know proper information technology security!? Now *THAT* is news!

    • by WCMI92 ( 592436 )

      The first thing that is cheaped out on is good IT support. Hire the best IT guys. Pay them well.

      • The first thing that is cheaped out on is good IT support. Hire the best IT guys.

        If you don't know anything about IT, then how do you know who is "best"?

  • it seems like the vast majority of data leaks involve improperly configured AWS services - mostly S3 and databases.
    AWS should require annual certification of any account with authorization to configure such services.

    • I think AWS should provide a server list and some third party can do a vulnerability assessment against them. Then they publish a monthly "idiots" report. Things will be aired out before some moron has enough time to upload too much sensitive data.

      Over time clients, auditors, and customers will drop the companies that make it onto that list. Those who can't properly protect their systems won't be in the business.

      Also anyone hosting their own solutions without proper audits can have criminal liability sanc

  • by Ol Olsoc ( 1175323 ) on Friday January 25, 2019 @08:20PM (#58024254)
    We'll get reminded how we need to continually change our passwords, use strong passwords, use encryption for everything, update immediately, or we'll cause the digital apocalypse, and browbeaten about our terrible security habits.....

    And the corporations simply give our information away, as usual.

    We need a few CIO's to spend a few years in jail.

    • It's a nice idea: the CIO of a bank spends time in jail because their bank's data leaks. The problem is that it's not ultimately fair; are you suggesting he spends all his time checking the databases personally? If not, then someone needs to be given that responsibility, but if it becomes their responsibility, they may not want the job...

      This is why it's probably best to aim at LARGE fines for this sort of violation - starting at 1% of annual turnover for the first offence (multiplying rapidly if a refusal

  • by Anonymous Coward

    Why isn't it that we can't get the credit card numbers of billionaires? Why is it always the data of middle class or poor people that is exposed? Seriously. These people can't afford to have their credit histories damaged, and yet, if we could hack the millionaires and billionaires of the USA, that data would be much more useful, because those people can afford to take it hit, and in fact, they could take the hit again, and again, and again, and never feel it. Sheesh!

Keep up the good work! But please don't ask me to help.

Working...