CALIFORNIA, U.S. – A trove of over 24 million financial and banking documents from some of the biggest banks in the U.S., has been discovered by a security researcher.
The researcher, Bob Diachenko, who found the data after a server security lapse said that the unsecured server contained loan and mortgage agreements, repayment schedules and other highly sensitive financial and tax documents representing tens of thousands of loans and mortgages from U.S. banks.
According to the researcher, the server was found to be running an Elasticsearch database.
He said that it contained more than a decade’s worth of data and documents, including some that were highly sensitive and reveal an intimate insight into a person’s financial life.
Information available about the discovery of the trove of data shows that it wasn’t protected with a password, which meant that anyone could access it and read the massive cache of documents.
When Diachenko discovered the data, it is believed to have been exposed for a span of two weeks before it was shut down on January 15.
So far, it is not known who owns the data, but reports have confirmed that information of customers of several banks was found on the server.
A report in TechCrunch noted that the leak had been traced back to a data and analytics company called Ascension.
The Fort Worth, Texas-based analytics company for the financial industry provides data analysis, portfolio valuations and converts paper documents and handwritten notes into computer-readable files — known as OCR.
In his post about the leaked documents, Diachenko wrote that this bank of converted documents had been exposed online.
Documents related to Citigroup’s now-defunct lending finance arm called CitiFinancial, HSBC Life Insurance, Wells Fargo, CapitalOne and some U.S. federal departments, including the Department of Housing and Urban Development were part of the trove of data discovered.
The files contained names, addresses, birth dates, Social Security numbers and bank and checking account numbers of customers, including some loan agreements with sensitive and personal financial information of customers.
Diachenko also noted that “the database stored documents in a random order, and were not easily followable or presented in an easy to read or formatted way, making it difficult to follow from one document to another.”
He further added, “These documents contained highly sensitive data, such as Social Security numbers, names, phones, addresses, credit history and other details which are usually part of a mortgage or credit report. This information would be a gold mine for cybercriminals who would have everything they need to steal identities, file false tax returns, get loans or credit cards.”
Confirming the discovery, Sandy Campbell, General Counsel at Ascension’s parent company, Rocktop Partners said that its systems were unaffected.
Campbell said in a statement, “On January 15, this vendor learned of a server configuration error that may have led to the exposure of some mortgage-related documents. The vendor immediately shut down the server in question, and we are working with third-party forensics experts to investigate the situation. We are also in regular contact with law enforcement investigators and technology partners as this investigation proceeds.”
The statement by the company added that an unspecified portion of the loans were shared with the contractor for analysis.
Campbell added that the company would now inform all affected customers, and report the incident to state regulators under data breach notification laws.
Following the expose, Citi is said to have helped to secure the data.
A Citi spokesperson issued a statement saying, “Citi recently became aware that a third party, with no connection to Citi, was storing certain mortgage origination and modification documents in an unsecured online environment. These documents contained information about current or former Citi customers, as well as customers from other financial institutions. Citi notified law enforcement, initiated a thorough forensic investigation and worked quickly to ensure the information could no longer be publicly accessed.”
It also confirmed that “third party is a vendor to a company that had purchased the loans and we have found no evidence that Citi’s systems were compromised.”