Missing name's picture

Millions of bank loan and mortgage documents have leaked online

A trove of more than 24 million financial and banking documents, representing tens of thousands of loans and mortgages from some of the biggest banks in the U.S., has been found online after a server security lapse.

The server, running an Elasticsearch database, had more than a decade’s worth of data, containing loan and mortgage agreements, repayment schedules and other highly sensitive financial and tax documents that reveal an intimate insight into a person’s financial life.

But it wasn’t protected with a password, allowing anyone to access and read the massive cache of documents.

It’s believed that the database was only exposed for two weeks — but long enough for independent security researcher Bob Diachenko to find the data. At first glance, it wasn’t immediately known who owned the data. After we inquired with several banks whose customers information was found on the server, the database was shut down on January 15.

With help from TechCrunch, the leak was traced back to Ascension, a data and analytics company for the financial industry, based in Fort Worth, Texas. The company provides data analysis and portfolio valuations. Among its services, the Ascension converts paper documents and handwritten notes into computer-readable files — known as OCR.

It’s that bank of converted documents that was exposed, Diachenko said in his own write-up.

Sandy Campbell, general counsel at Ascension’s parent company, Rocktop Partners, which owns more than 46,000 loans worth $4.4 billion, confirmed the security incident to TechCrunch, but said its systems were unaffected.

On January 15, this vendor learned of a server configuration error that may have led to exposure of some mortgage-related documents. The vendor immediately shut down the server in question, and we are working with third-party forensics experts to investigate the situation. We are also in regular contact with law enforcement investigators and technology partners as this investigation proceeds.

An unspecified portion of the loans were shared with the contractor for analysis, the statement added, but couldn’t immediately confirm how many loan documents were exposed.

TechCrunch has learned that the vendor is New York-based company OpticsML. Efforts to reach the company were unsuccessful. Its website is offline and its phone number was disconnected from service.

A day later, Diachenko found a second storage server containing the original documents from the first exposed database. (You can read more about the second exposure here.)

In a phone call, Campbell confirmed that the company will inform all affected customers, and report the incident to state regulators under data breach notification laws.

From our review, it was clear that the documents pertain to loans and mortgages and other correspondence from several of the major financial and lending institutions dating as far back as 2008, if not longer, including CitiFinancial, a now-defunct lending finance arm of Citigroup, files from HSBC Life Insurance, Wells Fargo, CapitalOne and some U.S. federal departments, including the Department of Housing and Urban Development.

Some of the companies have long been defunct, after selling their mortgage divisions and assets to other companies.

Though not all files contained the highly sensitive and personal data points, we found: names, addresses, birth dates, Social Security numbers and bank and checking account numbers, as well as details of loan agreements that include sensitive financial information, such as why the person is requesting the loan.

Some of the documents also note if a person has filed for bankruptcy and tax documents, including annual W-2 tax forms, which are targets for scammers to claim false refunds.

But the database stored documents in a random order, and were not easily followable or presented in an easy to read or formatted way, making it difficult to follow from one document to another, said Diachenko.

We verified the authenticity of data by checking a portion of names in the database with public records.

“These documents contained highly sensitive data, such as Social Security numbers, names, phones, addresses, credit history and other details which are usually part of a mortgage or credit report,” Diachenko told TechCrunch. “This information would be a gold mine for cyber criminals who would have everything they need to steal identities, file false tax returns, get loans or credit cards.”

Although the documents originate from these financiers, one bank — Citi, which helped to secure the data — said it had no current relationship with the company.

“Citi recently became aware that a third party, with no connection to Citi, was storing certain mortgage origination and modification documents in an unsecure online environment,” said a Citi spokesperson. “These documents contained information about current or former Citi customers, as well as customers from other financial institutions. Citi notified law enforcement, initiated a thorough forensic investigation and worked quickly to ensure the information could no longer be publicly accessed.”

Citi confirmed that “third party is a vendor to a company that had purchased the loans and we have found no evidence that Citi’s systems were compromised.”

The bank added that it’s working to identify potentially affected customers.

Dozens of other companies are affected, including smaller regional banks and larger multinationals.

A Wells Fargo spokesperson said the data was obtained by Ascension from other entities that purchased Wells Fargo mortgages. HSBC said it was investigating if any of its customers’ data, including past customers, and confirmed it had “no vendor relationship with Ascension since 2010.” When reached, CapitalOne did not comment at the time of publication. A Housing and Urban Development spokesperson did not respond to a request for comment. The department is currently affected by the ongoing government shutdown. If anything changes, we’ll update.

It’s the latest in a series of security lapses involving Elasticsearch databases.

A massive database leaking millions of real-time SMS text message data was found and secured last year, as well as a popular massage service and, most recently, AIESEC, the largest youth-run nonprofit for working opportunities.

Updated with comment from HSBC and additional details regarding OpticsML, and again with additional of the second exposure.

This content has been reproduced from its original source.

Share This Article

More Articles

Loading...

Today's System Isn't Protecting You From Title Theft

"People think there's somebody that's checking your signature. Nobody is checking any of these things. Nobody is looking out for you but you."

— Matthew Cox (Convicted Home Title Thief)

  • County clerk won't call you if someone changes title on your home
  • Homeowners insurance doesn't cover home title theft
  • Credit card or traditional identity protection doesn't cover home title theft

Protect Yourself today, with Home Title Lock.

  • 24/7 monitoring of your Title
  • Instant alerts if we detect tampering with your title or mortgage
  • Access to our team of Title Restoration Experts

How Easily Title Fraud Occurs

EVERYTHING is stored online in the cloud - including your home's title information

  • 1
    Domestic and international thieves scour online records for homes with equity. It could be the home you live in, your vacation home, a home of an elderly relative, or rental property you own.
  • 2
    Once they change your home's ownership from YOU to THEM, they re-file the Quitclaim Deed for your home with the proper authorities so it appears your home has been legally sold.
  • 3
    They take out personal loans through banks and online lenders using all your home's equity. You likely won't know you're a victim until you start receiving late payments or foreclosure notices.
Man with concealed face wearing a dark colored hooded sweater

Click to see if your home's title has been compromised.
Get your FREE TITLE SCAN and COMPREHENSIVE TITLE REPORT(a $100 value FREE with sign up)

Sign Up

Speak to a live agent

(800) 899-6268

Title Fraud is NOT COVERED by

Your Bank

Legal Trust

Homeowners Insurance

Identity Theft Protection

Signing Up Is Easy - Start Your Subscription Today

Title Lock alerts help you detect property fraud before it's too late.
Create your account for only pennies per day.

Sign Up Today

The Leader in Home Title Protection