Millions of Bank Loan and Mortgage Documents Have Leaked Online (techcrunch.com) 43
An anonymous reader quotes a report from TechCrunch: [M]illions of documents were found leaking after an exposed Elasticsearch server was found without a password. The documents contained highly sensitive financial data on tens of thousands of individuals who took out loans or mortgages over the past decade with U.S. financial institutions. The documents were converted using a technology called OCR from their original paper documents to a computer readable format and stored in the database, but they weren't easy to read. That said, it was possible to discern names, addresses, birth dates, Social Security numbers and other private financial data by anyone who knew where to find the server. Independent security researcher Bob Diachenko and TechCrunch traced the source of the leaking database to a Texas-based data and analytics company, Ascension. When reached, the company said that one of its vendors, OpticsML, a New York-based document management startup, had mishandled the data and was to blame for the data leak.
It turns out that data was exposed again -- but this time, it was the original documents. Diachenko found the second trove of data in a separate exposed Amazon S3 storage server, which too was not protected with a password. Anyone who went to an easy-to-guess web address in their web browser could have accessed the storage server to see -- and download -- the files stored inside. The bucket contained 21 files containing 23,000 pages of PDF documents stitched together -- or about 1.3 gigabytes in size. Diachenko said that portions of the data in the exposed Elasticsearch database on Wednesday matched data found in the Amazon S3 bucket, confirming that some or all of the data is the same as what was previously discovered. Like in Wednesday's report, the server contained documents from banks and financial institutions across the U.S., including loans and mortgage agreements. We also found documents from the U.S. Department of Housing and Urban Development, as well as W-2 tax forms, loan repayment schedules and other sensitive financial information. Many of the files also contained names, addresses, phone numbers, Social Security numbers and more.
It turns out that data was exposed again -- but this time, it was the original documents. Diachenko found the second trove of data in a separate exposed Amazon S3 storage server, which too was not protected with a password. Anyone who went to an easy-to-guess web address in their web browser could have accessed the storage server to see -- and download -- the files stored inside. The bucket contained 21 files containing 23,000 pages of PDF documents stitched together -- or about 1.3 gigabytes in size. Diachenko said that portions of the data in the exposed Elasticsearch database on Wednesday matched data found in the Amazon S3 bucket, confirming that some or all of the data is the same as what was previously discovered. Like in Wednesday's report, the server contained documents from banks and financial institutions across the U.S., including loans and mortgage agreements. We also found documents from the U.S. Department of Housing and Urban Development, as well as W-2 tax forms, loan repayment schedules and other sensitive financial information. Many of the files also contained names, addresses, phone numbers, Social Security numbers and more.
We know (Score:2)
It's duplicate "news" from last Monday.
I guess you were ill all week.
No, faceless corporation, you are to blame too. (Score:3)
mishandled the data and was to blame for the data leak
Stop passing the buck, if you paid them then your company shares the blame. Now when will companies like this start losing their corporate charter? This is getting ridiculous.
Re: (Score:2)
when people realize security is not convenient and any attempt to make it convenient, undermines it.
so, never.
Re: (Score:2)
Stop passing the buck, if you paid them then your company shares the blame.
Many individuals paid points on their loan. So by your logic, it is their own fault their data was leaked, since they paid for it.
Re: No, faceless corporation, you are to blame too (Score:3)
Not even close to the same thing. I work at a small under 1000 employee financial institution, and we perform multiple audits per year on our vendors and have dozens of audits performed on us each year. No breach of our clients' data would ever just be our vendor's fault. We could certainly share blame, and sue our vendor for damages, but the lose of trust from our clients would be by far the worst outcome.
Inline spam links (Score:2)
Who else is getting inline spam links that open up new windows when clicking legit links within Slashdot? (e.g. 3 replies below your threshold). Fake Google sites, "slot machine" sites, etc. instead of the /. content.
I'm seeing it on Android Chrome (no ad blocker). If this is the only thing keeping the site afloat I want a copy of my data before it disappears forever.
Re: (Score:2)
Startups (Score:2)
A startup that doesn't know proper information technology security!? Now *THAT* is news!
Re: (Score:2)
The first thing that is cheaped out on is good IT support. Hire the best IT guys. Pay them well.
Re: (Score:2)
The first thing that is cheaped out on is good IT support. Hire the best IT guys.
If you don't know anything about IT, then how do you know who is "best"?
AWS should step up to the plate (Score:2)
it seems like the vast majority of data leaks involve improperly configured AWS services - mostly S3 and databases.
AWS should require annual certification of any account with authorization to configure such services.
Re: AWS should step up to the plate (Score:3)
I think AWS should provide a server list and some third party can do a vulnerability assessment against them. Then they publish a monthly "idiots" report. Things will be aired out before some moron has enough time to upload too much sensitive data.
Over time clients, auditors, and customers will drop the companies that make it onto that list. Those who can't properly protect their systems won't be in the business.
Also anyone hosting their own solutions without proper audits can have criminal liability sanc
Same old, same old (Score:3)
And the corporations simply give our information away, as usual.
We need a few CIO's to spend a few years in jail.
Re: (Score:2)
See subject: Your MASSIVE FAIL in this life is
Where ya been homie? Haven't seen any of your guided missives for a while. We were afraid the rehab might not have worked, but here ya are, smart and sassy as ever. Good to know you're still with us. Ciao!
Personal responsibility is tricky (Score:3)
It's a nice idea: the CIO of a bank spends time in jail because their bank's data leaks. The problem is that it's not ultimately fair; are you suggesting he spends all his time checking the databases personally? If not, then someone needs to be given that responsibility, but if it becomes their responsibility, they may not want the job...
This is why it's probably best to aim at LARGE fines for this sort of violation - starting at 1% of annual turnover for the first offence (multiplying rapidly if a refusal
When Data Leaks.... (Score:1)
Why isn't it that we can't get the credit card numbers of billionaires? Why is it always the data of middle class or poor people that is exposed? Seriously. These people can't afford to have their credit histories damaged, and yet, if we could hack the millionaires and billionaires of the USA, that data would be much more useful, because those people can afford to take it hit, and in fact, they could take the hit again, and again, and again, and never feel it. Sheesh!