Millions of sensitive mortgage documents were left exposed on the internet for two weeks in a massive data breach that could affect an unknown number of people.
According to the report, the server “had more than a decade’s worth of data, containing loan and mortgage agreements, repayment schedules and other highly sensitive financial and tax documents that reveal an intimate insight into a person’s financial life.”
But the server and all of its information was left unprotected for at least two weeks.
It’s believed that the database was only exposed for two weeks — but long enough for independent security researcher Bob Diachenko to find the data. At first glance, it wasn’t immediately known who owned the data. After we inquired with several banks whose customers information was found on the server, the database was shut down on January 15.
According to the report, the database contained mortgage and financial documents stretching back to at least 2008, and included documents from Citigroup, Wells Fargo, Capital One, and the Department of Housing and Urban Development, among others.
And worst of all, the documents contained highly sensitive personal information, including people’s names, addresses, dates of birth, Social Security numbers, and other sensitive information typically found on mortgage documents.
According to the article, the breach was sourced back to Ascension, a Fort Worth, Texas-based company that provides data and analytics to the financial services industry.
The exposed data appears to have come from documents Ascension processed using OCR, a computer process that converts paper documents into electronic documents.
Again from TechCrunch:
Sandy Campbell, general counsel at Ascension’s parent company, Rocktop Partners, which owns more than 46,000 loans worth $4.4 billion, confirmed the security incident to TechCrunch.
“On January 15, this vendor learned of a server configuration error that may have led to exposure of some mortgage-related documents,” he said in a statement. “The vendor immediately shut down the server in question, and we are working with third-party forensics experts to investigate the situation. We are also in regular contact with law enforcement investigators and technology partners as this investigation proceeds.”
According to the article, the company plans to notify all affected consumers as well as appropriate law enforcement authorities.
For much more on the story, click here to read TechCrunch’s article.