A database with sensitive information on loans and mortgages has been recently leaked
Network security and ethical hacking
specialists from the International Institute of Cyber Security report the
finding of a server with more than 20 million of bank documents, including
records of thousands of loans and mortgages from some of the most important financial
institutions in the U.S.
The server, executed in an ElasticSearch
implementation, contains a record of more than ten years on multiple highly
sensitive financial and fiscal operations that could be used in various
malicious activities against the victims of this incident. According to the
first investigations, the server was not protected with a password, so anyone
with sufficient knowledge could have agreed to read the document cache.
Network
security
specialists believe that the database was exposed online about two weeks, long
enough for Bob Diachenko, an expert in finding exposed databases on the
Internet, to find the information. The database was finally secured last
January 15th.
Diachenko found that the root of the leaking
was traced back to the financial analysis company Ascencion, established in
Texas. One of the main services provided by this company is the conversion of
paper documents to digital files. According to the investigator, the leaking
consists exclusively of these digitized documents.
On the other hand, Sandy Campbell, manager of
Rocktop Partners, parent company of Ascencion, confirmed the incident, although
she stressed that their systems were not affected. Campbell also confirmed that
the company will notify all affected customers and report the incident to
regulators for this kind of incidents.
Days later, Diachenko found a second storage
server containing the original documents from the first exposed database.
For network security experts, it is quite clear
that the documents correspond to loans and mortgages and other issues from
several of the major financial and credit institutions in the U.S. since 2008;
among the involved institutions are CitiFinancial, Wells Fargo, CapitalOne, and
even some U.S. federal dependencies, such as the Department of Housing and
Urban Development.
Although not all leaked files contained
confidential information, it is possible to identify some personal details such
as:
- Full
names - Directions
- Dates
of birth - Social
Security numbers - Bank
Account numbers - Credit
information
The authenticity of the database content was
verified by taking a sample of the leaked names and comparing them with some public
records. For Diachenko, “this information is a gold mine for cybercriminals,
because here you will find everything you need to carry out identity theft, solicit
loans with fake information, etc”.
