24 million mortgage and loan documents leaked over the internet by Ascension

Bob Diachenko, an independent security researcher, discovered a server running an Elasticsearch database that contained loans and mortgage agreements, repayment schedules, and other financial tax documents, left unprotected for two weeks. The exposed data contained sensitive personal information, such as people’s names, addresses, social security numbers, banks and checking account numbers, as well as details of loan agreements.

The exposed files were from some large financial and lending institutions, including CitiFinancial, HSBC Life Insurance, Wells Fargo, CapitalOne, and some US federal departments, including the Department of Housing and Urban Development.

Currently, it’s not yet clear how many people were affected by the breach, or if anyone accessed any of the files.

The breach was traced back to Ascension. Sandy Campbell, general counsel of Ascension’s parent company, announced the incident but said its systems were unaffected, according to Software Testing News. On January 15th, the vendor with whom the data company worked learned of a server configuration error that may have led to the exposure of some mortgage-related documents.

Reporters at TechCrunch were able to find out the vendor is New York-based company OpticsML. TechCrunch attempted to contact the company but were unsuccessful.

Commenting on this incident Mike Jordan, CISSP, CRISC, CTPRP, Senior Director, The Shared Assessments Program said that “this brings to mind one of the complexities in Third Party Risk Management. At least one of the banks affected wasn’t even a customer of the company allegedly responsible for this data leak. Hacked subcontractors or downstream service providers can harm companies that have no business relationship with each other. Even individuals can be affected by parties of which they have no explicit relationship, such as credit bureaus and data brokers.”