Millions of loans and mortgages banking files exposed online

A database with sensitive information on loans and mortgages has been recently leaked

Network security and ethical hacking specialists from the International Institute of Cyber Security report the finding of a server with more than 20 million of bank documents, including records of thousands of loans and mortgages from some of the most important financial institutions in the U.S.

The server, executed in an ElasticSearch implementation, contains a record of more than ten years on multiple highly sensitive financial and fiscal operations that could be used in various malicious activities against the victims of this incident. According to the first investigations, the server was not protected with a password, so anyone with sufficient knowledge could have agreed to read the document cache.  

Network security specialists believe that the database was exposed online about two weeks, long enough for Bob Diachenko, an expert in finding exposed databases on the Internet, to find the information. The database was finally secured last January 15th.

Diachenko found that the root of the leaking was traced back to the financial analysis company Ascencion, established in Texas. One of the main services provided by this company is the conversion of paper documents to digital files. According to the investigator, the leaking consists exclusively of these digitized documents.

On the other hand, Sandy Campbell, manager of Rocktop Partners, parent company of Ascencion, confirmed the incident, although she stressed that their systems were not affected. Campbell also confirmed that the company will notify all affected customers and report the incident to regulators for this kind of incidents.

Days later, Diachenko found a second storage server containing the original documents from the first exposed database.

For network security experts, it is quite clear that the documents correspond to loans and mortgages and other issues from several of the major financial and credit institutions in the U.S. since 2008; among the involved institutions are CitiFinancial, Wells Fargo, CapitalOne, and even some U.S. federal dependencies, such as the Department of Housing and Urban Development.

Although not all leaked files contained confidential information, it is possible to identify some personal details such as:

  • Full names
  • Directions
  • Dates of birth
  • Social Security numbers
  • Bank Account numbers
  • Credit information

The authenticity of the database content was verified by taking a sample of the leaked names and comparing them with some public records. For Diachenko, “this information is a gold mine for cybercriminals, because here you will find everything you need to carry out identity theft, solicit loans with fake information, etc”.