Slashdot Mirror
Millions of Bank Loan and Mortgage Documents Have Leaked Online (techcrunch.com)
An anonymous reader quotes a report from TechCrunch: [M]illions of documents were found leaking after an exposed Elasticsearch server was found without a password. The documents contained highly sensitive financial data on tens of thousands of individuals who took out loans or mortgages over the past decade with U.S. financial institutions. The documents were converted using a technology called OCR from their original paper documents to a computer readable format and stored in the database, but they weren't easy to read. That said, it was possible to discern names, addresses, birth dates, Social Security numbers and other private financial data by anyone who knew where to find the server. Independent security researcher Bob Diachenko and TechCrunch traced the source of the leaking database to a Texas-based data and analytics company, Ascension. When reached, the company said that one of its vendors, OpticsML, a New York-based document management startup, had mishandled the data and was to blame for the data leak.
It turns out that data was exposed again -- but this time, it was the original documents. Diachenko found the second trove of data in a separate exposed Amazon S3 storage server, which too was not protected with a password. Anyone who went to an easy-to-guess web address in their web browser could have accessed the storage server to see -- and download -- the files stored inside. The bucket contained 21 files containing 23,000 pages of PDF documents stitched together -- or about 1.3 gigabytes in size. Diachenko said that portions of the data in the exposed Elasticsearch database on Wednesday matched data found in the Amazon S3 bucket, confirming that some or all of the data is the same as what was previously discovered. Like in Wednesday's report, the server contained documents from banks and financial institutions across the U.S., including loans and mortgage agreements. We also found documents from the U.S. Department of Housing and Urban Development, as well as W-2 tax forms, loan repayment schedules and other sensitive financial information. Many of the files also contained names, addresses, phone numbers, Social Security numbers and more.
It turns out that data was exposed again -- but this time, it was the original documents. Diachenko found the second trove of data in a separate exposed Amazon S3 storage server, which too was not protected with a password. Anyone who went to an easy-to-guess web address in their web browser could have accessed the storage server to see -- and download -- the files stored inside. The bucket contained 21 files containing 23,000 pages of PDF documents stitched together -- or about 1.3 gigabytes in size. Diachenko said that portions of the data in the exposed Elasticsearch database on Wednesday matched data found in the Amazon S3 bucket, confirming that some or all of the data is the same as what was previously discovered. Like in Wednesday's report, the server contained documents from banks and financial institutions across the U.S., including loans and mortgage agreements. We also found documents from the U.S. Department of Housing and Urban Development, as well as W-2 tax forms, loan repayment schedules and other sensitive financial information. Many of the files also contained names, addresses, phone numbers, Social Security numbers and more.
mishandled the data and was to blame for the data leak
Stop passing the buck, if you paid them then your company shares the blame. Now when will companies like this start losing their corporate charter? This is getting ridiculous.
Not even close to the same thing. I work at a small under 1000 employee financial institution, and we perform multiple audits per year on our vendors and have dozens of audits performed on us each year. No breach of our clients' data would ever just be our vendor's fault. We could certainly share blame, and sue our vendor for damages, but the lose of trust from our clients would be by far the worst outcome.
-- All that is necessary for the triumph of evil is that good men do nothing. -- Edmund Burke
And the corporations simply give our information away, as usual.
We need a few CIO's to spend a few years in jail.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
I think AWS should provide a server list and some third party can do a vulnerability assessment against them. Then they publish a monthly "idiots" report. Things will be aired out before some moron has enough time to upload too much sensitive data.
Over time clients, auditors, and customers will drop the companies that make it onto that list. Those who can't properly protect their systems won't be in the business.
Also anyone hosting their own solutions without proper audits can have criminal liability sanctions against the operators, CEs, and managers. Like they can't ever hold such a position blah blah blah.
Problem will take care of itself.
It's a nice idea: the CIO of a bank spends time in jail because their bank's data leaks. The problem is that it's not ultimately fair; are you suggesting he spends all his time checking the databases personally? If not, then someone needs to be given that responsibility, but if it becomes their responsibility, they may not want the job...
This is why it's probably best to aim at LARGE fines for this sort of violation - starting at 1% of annual turnover for the first offence (multiplying rapidly if a refusal to address concerns is discovered), with the ability to insure against the fine if you employ suitably qualified contractors to do spot checks / audits etc; it becomes in the insurer's interest to get it right.
Overall the problem is that modern technology makes data leaks infinitely easier than when everything was on paper in filing cabinets. We need to face this, and data holders need to get it right.