Slashdot Mirror

← Back to Stories (view on slashdot.org)

Millions of Bank Loan and Mortgage Documents Have Leaked Online (techcrunch.com)

Posted by BeauHD on from the worse-than-previously-thought dept.

An anonymous reader quotes a report from TechCrunch: [M]illions of documents were found leaking after an exposed Elasticsearch server was found without a password. The documents contained highly sensitive financial data on tens of thousands of individuals who took out loans or mortgages over the past decade with U.S. financial institutions. The documents were converted using a technology called OCR from their original paper documents to a computer readable format and stored in the database, but they weren't easy to read. That said, it was possible to discern names, addresses, birth dates, Social Security numbers and other private financial data by anyone who knew where to find the server. Independent security researcher Bob Diachenko and TechCrunch traced the source of the leaking database to a Texas-based data and analytics company, Ascension. When reached, the company said that one of its vendors, OpticsML, a New York-based document management startup, had mishandled the data and was to blame for the data leak.

It turns out that data was exposed again -- but this time, it was the original documents. Diachenko found the second trove of data in a separate exposed Amazon S3 storage server, which too was not protected with a password. Anyone who went to an easy-to-guess web address in their web browser could have accessed the storage server to see -- and download -- the files stored inside. The bucket contained 21 files containing 23,000 pages of PDF documents stitched together -- or about 1.3 gigabytes in size. Diachenko said that portions of the data in the exposed Elasticsearch database on Wednesday matched data found in the Amazon S3 bucket, confirming that some or all of the data is the same as what was previously discovered. Like in Wednesday's report, the server contained documents from banks and financial institutions across the U.S., including loans and mortgage agreements. We also found documents from the U.S. Department of Housing and Urban Development, as well as W-2 tax forms, loan repayment schedules and other sensitive financial information. Many of the files also contained names, addresses, phone numbers, Social Security numbers and more.

43 comments

  1. We know by nospam007 · · Score: 1

    It's duplicate "news" from last Monday.
    I guess you were ill all week.

    1. Re:We know by Anonymous Coward · · Score: 0

      It's okay, Equifax had more records that are already dumped online.

  2. No, faceless corporation, you are to blame too. by Fly+Swatter · · Score: 2

    mishandled the data and was to blame for the data leak

    Stop passing the buck, if you paid them then your company shares the blame. Now when will companies like this start losing their corporate charter? This is getting ridiculous.

    1. Re:No, faceless corporation, you are to blame too. by zlives · · Score: 1

      when people realize security is not convenient and any attempt to make it convenient, undermines it.
      so, never.

    2. Re:No, faceless corporation, you are to blame too. by Anonymous Coward · · Score: 0

      They need to send the message that losing something which can never be 'unlost' is totally unacceptable. They should publicly execute some CEOs and DevOps shitbags together.

    3. Re:No, faceless corporation, you are to blame too. by ShanghaiBill · · Score: 1

      Stop passing the buck, if you paid them then your company shares the blame.

      Many individuals paid points on their loan. So by your logic, it is their own fault their data was leaked, since they paid for it.

  3. Good news by Anonymous Coward · · Score: 0

    Nobody on this site owns a home, and the basement they live in probably has a mortgage predating this.

  4. You know what? Shut it all down again. by Anonymous Coward · · Score: 0

    Until we get a 5.7 Billion dollar firewall, these drug-smuggling rapists are just going to keep driving their... super-fast, powerful vehicles... like nothing this world has ever seen...

  5. I'll check for you by Anonymous Coward · · Score: 0

    I'll help you determine if you are exposed!

    If you don't want to download the entire file or wait for your bank to FINALLY tell you they leaked you data.

    Anyhow, since I'm a fairly caring kinda guy, I'll check to see if your mortagaged info was leaked. If you can just get me your first/last name along with the social and mothers maiden name then I'll get back to you as fast as I can. Remember, free service, don't expect lightning results.

  6. Inline spam links by bill_mcgonigle · · Score: 1

    Who else is getting inline spam links that open up new windows when clicking legit links within Slashdot? (e.g. 3 replies below your threshold). Fake Google sites, "slot machine" sites, etc. instead of the /. content.

    I'm seeing it on Android Chrome (no ad blocker). If this is the only thing keeping the site afloat I want a copy of my data before it disappears forever.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    1. Re:Inline spam links by aitikin · · Score: 1

      Definitely not getting anything, but I'm browsing on a computer...

      --
      "Don't meddle in the affairs of a patent dragon, for thou art tasty and good with ketchup." ~ohcrapitssteve
    2. Re:Inline spam links by Anonymous Coward · · Score: 0

      I'm seeing it on Android Chrome (no ad blocker).

      Not seeing anything here either. Maybe you rooted your phone with the wrong Chinese rootkit?

    3. Re:Inline spam links by Anonymous Coward · · Score: 0

      I'm seeing it on Android Chrome (no ad blocker). If this is the only thing keeping the site afloat I want a copy of my data before it disappears forever.

      Just you apparently. I'm assuming you're not rooted or you'd be using an adblocker.
      You probably have a malicious app installed on your phone.

  7. Startups by darkain · · Score: 1

    A startup that doesn't know proper information technology security!? Now *THAT* is news!

    1. Re: Startups by Anonymous Coward · · Score: 0

      Oh I imagine it is much worse than this. This is a story of soul searching, betrayal, career suicide, prison

    2. Re:Startups by WCMI92 · · Score: 1

      The first thing that is cheaped out on is good IT support. Hire the best IT guys. Pay them well.

      --
      Corporatism != Free Market
    3. Re:Startups by ShanghaiBill · · Score: 1

      The first thing that is cheaped out on is good IT support. Hire the best IT guys.

      If you don't know anything about IT, then how do you know who is "best"?

    4. Re:Startups by Anonymous Coward · · Score: 0

      If you don't know anything about IT, then how do you know who is "best"?

      When problems like this happen: fire the people in charge. Or better yet fire everyone.

  8. Annoying Leaks by Anonymous Coward · · Score: 0

    I'm always annoyed by leak articles. Where's all the data? I want to see if my info is in there. 'Criminals' already have the info, so let us have it as well.

    1. Re:Annoying Leaks by mossweb · · Score: 0

      This...^^ I don't want to go looking for it... To much danger in them there bit rot holes around the internet.

  9. Good thing NSA and other 3-letters trust Amazon by Anonymous Coward · · Score: 0

    AWS, the best your stolen money can buy for everyone else. Get used to it. That is how it will be from now on.

  10. AWS should step up to the plate by cathector · · Score: 1

    it seems like the vast majority of data leaks involve improperly configured AWS services - mostly S3 and databases.
    AWS should require annual certification of any account with authorization to configure such services.

    1. Re: AWS should step up to the plate by orlanz · · Score: 2

      I think AWS should provide a server list and some third party can do a vulnerability assessment against them. Then they publish a monthly "idiots" report. Things will be aired out before some moron has enough time to upload too much sensitive data.

      Over time clients, auditors, and customers will drop the companies that make it onto that list. Those who can't properly protect their systems won't be in the business.

      Also anyone hosting their own solutions without proper audits can have criminal liability sanctions against the operators, CEs, and managers. Like they can't ever hold such a position blah blah blah.

      Problem will take care of itself.

    2. Re:AWS should step up to the plate by Anonymous Coward · · Score: 0

      For S3, AWS should make block public access default for new accounts. Then someone would have to turn that off and mess up the permissions. A lot of companies manage to mess up the permissions when that is the only access control.

      https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html

  11. Re:You know what? Shut it all down again. by Anonymous Coward · · Score: 0

    Don't worry, in another 3 weeks it'll be shut down again. And it'll probably be shut down for a lot longer than this time.

  12. Re: No, faceless corporation, you are to blame too by ranton · · Score: 2

    Not even close to the same thing. I work at a small under 1000 employee financial institution, and we perform multiple audits per year on our vendors and have dozens of audits performed on us each year. No breach of our clients' data would ever just be our vendor's fault. We could certainly share blame, and sue our vendor for damages, but the lose of trust from our clients would be by far the worst outcome.

    --
    -- All that is necessary for the triumph of evil is that good men do nothing. -- Edmund Burke
  13. Same old, same old by Ol+Olsoc · · Score: 2
    We'll get reminded how we need to continually change our passwords, use strong passwords, use encryption for everything, update immediately, or we'll cause the digital apocalypse, and browbeaten about our terrible security habits.....

    And the corporations simply give our information away, as usual.

    We need a few CIO's to spend a few years in jail.

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    1. Re:Same old, same old by Anonymous Coward · · Score: 0

      What we need is a law that bans MS products from being used in mission-critical deployments.

      Windows is a consumer / toy operating system and was never meant to be secure. Something
      like BSD (if you insist on free), or AIX / big iron mainframe is more appropriate. You never hear
      of those systems getting hacked. I'd suggest Sun Microsystems, but they're no longer with us.
      I dunno about HP/UX nowadays - but the point is these businesses use Windows 'cause it's
      cheap, and are unwilling to pay the real cost of doing it right      . This is why government
      corporate regulation is so important and necessary for democracy and a free society.

      But we've (in the U.S.) got it bass-ackwards and we're strangling people with regulations instead.

      CAP === 'unneeded'

    2. Re:Same old, same old by Anonymous Coward · · Score: 0

      What we need is a law that bans MS products from being used in mission-critical deployments.

      Windows is a consumer / toy operating system and was never meant to be secure.

      True, but this is about elasticsearch, which (like all server software) is usually running on linux.
      Like all software anywhere, it can be setup wrong by incompetent fucks.

  14. When Data Leaks.... by Anonymous Coward · · Score: 1

    Why isn't it that we can't get the credit card numbers of billionaires? Why is it always the data of middle class or poor people that is exposed? Seriously. These people can't afford to have their credit histories damaged, and yet, if we could hack the millionaires and billionaires of the USA, that data would be much more useful, because those people can afford to take it hit, and in fact, they could take the hit again, and again, and again, and never feel it. Sheesh!

  15. IMPERSONATING me? I have a MacOS version... apk by Anonymous Coward · · Score: 0

    See subject: APK Hosts File Engine 1.0++ 64-bit for MacOS h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r M a c O S . z i p

    Yields more security/speed/reliability/anonymity vs. any 1 solution (99% of threats use hostnames vs. IP address most firewalls use) more efficiently/FASTER + NATIVELY 4 less!

    Vs. "Bolt on 'MoAr' illogic-logic" slowing you hosts speed u up 2 ways: Adblocks + Hardcode fav. sites u spend most time @ vs. competition loaded w/ security bugs (DNS/AntiVir) + overheads slowing u (messagepass 'souled-out' to advertisers easily detected & blocked addons + firewall filtering drivers) & their complexity leads to exploitation!

    * ONLY 1 of its kind in GUI 4 MacOS!

    (Better vs. Windows model in speed/efficiency)

    APK

    P.S.=> Protects against ALL known & unknown vulnerabilities. Now supports port filters in hosts. My work is world-class & China copied it because they can't do better. I am God's gift to Slashdot... apk

  16. Ol Olsoc = fake name massive human fail by Anonymous Coward · · Score: 0

    See subject: Your MASSIVE FAIL in this life is you're nothing more than a chattering little do-nothing "ne'er-do-well" online & you know it...

    * Is that the best your "phantasyland FAKE NAME" (for your fake lie of a so-called 'life') can manage?

    When a FAKE NAME do nothing like YOU does better than I have? Then talk (you're all talk & no action)...

    You can't help you're an immature little BUTTHURT no-mind, lol! I blew you away in TONS OF PLACES and easily dust your no-mind bullshit blatherings.

    APK

    P.S.=> The TRUE PRICE of your UNIDENTIFIABLE FAKE NAME do-nothing selves like you that I can ALWAYS CASH IN ON (lol) is that I can use FACT/TRUTH on them to SHATTER their all TOO fragile delusional egos that they actually know A DAMN THING in computing, lol... apk

    1. Re:Ol Olsoc = fake name massive human fail by Ol+Olsoc · · Score: 1

      See subject: Your MASSIVE FAIL in this life is

      Where ya been homie? Haven't seen any of your guided missives for a while. We were afraid the rehab might not have worked, but here ya are, smart and sassy as ever. Good to know you're still with us. Ciao!

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  17. loan by Farton · · Score: 0

    This is very unpleasant news and it is unclear how this could happen. Fortunately or unfortunately I do not give loans to banks because of bad credit history. Now I want Find the Best Lender and don't know where to apply to get a profitable loan. Any ideas?

  18. Personal responsibility is tricky by Bruce66423 · · Score: 2

    It's a nice idea: the CIO of a bank spends time in jail because their bank's data leaks. The problem is that it's not ultimately fair; are you suggesting he spends all his time checking the databases personally? If not, then someone needs to be given that responsibility, but if it becomes their responsibility, they may not want the job...

    This is why it's probably best to aim at LARGE fines for this sort of violation - starting at 1% of annual turnover for the first offence (multiplying rapidly if a refusal to address concerns is discovered), with the ability to insure against the fine if you employ suitably qualified contractors to do spot checks / audits etc; it becomes in the insurer's interest to get it right.

    Overall the problem is that modern technology makes data leaks infinitely easier than when everything was on paper in filing cabinets. We need to face this, and data holders need to get it right.

  19. No, I don't have the MacOS version ready... apk by Anonymous Coward · · Score: 0

    IMPERSONATING me AGAIN? MacOS model's NOT done yet so you can STOP now as you IMPERSONATE me here on /. nigh constantly, ok? Good!

    * Port Filters are not supported in my work on hosts (in fact, my program STOPS that error) & here's proof of it https://news.slashdot.org/comm...

    APK

    P.S.=> Hopefully, this 'sinks in' to your DULL BRAIN @ last, finally (for the 100th time now)... apk

  20. Re: No, faceless corporation, you are to blame too by Anonymous Coward · · Score: 0

    Cloud computing for yet another win. Apparently idiots are gonna idiot.

  21. Me? I write tools for good others like/use by Anonymous Coward · · Score: 0

    See subject & APK Hosts File Engine 2.0++ 64-bit for Linux/BSD h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p

    Yields more security/speed/reliability/anonymity vs. any 1 solution (99% of threats use hostnames vs. IP address most firewalls use) more efficiently/FASTER + NATIVELY 4 less!

    Vs. "Bolt on 'MoAr' illogic-logic" slowing u hosts speed u up 2 ways: Adblocks + Hardcode fav. sites u spend most time @ vs. competition w/ security bugs (DNS/AntiVir) + overheads slowing u (messagepass 'souled-out' to advertisers easily detected & blocked addons + firewall filtering drivers) & their complexity leads to exploit!

    * ONLY 1 of its kind in GUI 4 Linux/BSD (soon 4 MacOS)!

    (Better vs. Windows model)

    APK

    P.S.=> Protects vs. scripts/trackers (kernelmode faster vs. usermode slower NoScript vs. 3rd party script)/ads/DNS request tracking + redirect poisoned or downed DNS/botnets/malware download/malcript/email malicious payload