Earlier this month, independent security researcher Bob Diachenko discovered that more than 24 million loan and mortgage documents had been exposed in a data breach involving Ascension, a Texas-based data and analytics company.
The documents came from major financial institutions such as Citigroup, HSBC, Wells Fargo, and Capital One, as well as the Department of Housing and Urban Development.
“These documents contained highly sensitive data, such as social security numbers, names, phones, addresses, credit history, and other details which are usually part of a mortgage or credit report,” Diachenko said.
He described the exposed information as “a gold mine for cyber criminals who would have everything they need to steal identities, file false tax returns, get loans or credit cards.”
Just days after the initial discovery, Diachenko revealed that he found another cluster of data in a separate exposed Amazon S3 storage server, according to a TechCrunch report. Neither trove of data was protected with a password.
The security researcher told reporters that he was “very surprised” to find the server. Diachenko said the discovery was particularly alarming since Amazon storage servers are set to private by default, meaning someone had to make its permissions public.
A spokesperson for Ascension’s parent company, Rocktop Partners, said its systems were not impacted and confirmed that the database was shut down on January 15. The company said one of its vendors, New York-based OpticsML, had mishandled the data and was to blame for the data leak.
“We are working with the appropriate authorities and a forensic team to analyze the full extent of the situation regarding the exposed Elasticsearch server,” said OpticsML chief technology officer John Brozena. “As part of this investigation we learned that 21 documents used for testing were made identifiable by the previously discussed Elasticsearch leak. These documents were taken offline promptly.”
OpticsML is “working to notify all affected parties,” Brozenza said.
Diachenko noted that it’s still not known how long the bucket was open and why it was set to public in the first place.