A massive store of data that includes loan agreements, payment schedules tax documents and other financial records was openly accessible on a public server until recently, according to security researcher Bob Diachenko and TechCrunch.
The data, totaling about 24 million records, was being stored in an unsecured server by Ascension Data and Analytics, a company that sells various technical services to the financial industry, according to Diachenko. The researcher said he worked with TechCrunch reporter Zack Whittaker to track the data to Ascension.
Diachenko wrote in a blog post published Wednesday that he notified Ascension after making the discovery on Jan. 10, and that the data was secured by Jan. 15. The report says the 51 gigabytes’ worth of data on the server consisted of individual pages of documents that were submitted by financial institutions for optical character recognition – the conversion of handwriting text into machine-readable text. Some of the documents dated as far back as 2008.
Some, not all, of the documents “contained highly sensitive data, such as social security numbers, names, phones, addresses, credit history, and other details which are usually part of a mortgage or credit report. This information would be a gold mine for cyber criminals who would have everything they need to steal identities, file false tax returns, get loans or credit cards,” Diachenko wrote.
The records themselves stem from organizations including HSBC Life Insurance, Wells Fargo, CapitalOne, CitiFinancial, the U.S. Department of Housing and Urban Development and others, according to TechCrunch. At least some of these organizations have said they have no current relationship with Ascension.
Rob Sherman, HSBC’s U.S. head of media relations, told CyberScoop in a statement: “We are currently investigating if any of our customers’ data may have been impacted, and will take any necessary steps to protect our customers, including past customers. HSBC has had no vendor relationship with Ascension since 2010.”
Spokespeople for Citibank and Wells Fargo are quoted telling TechCrunch that the loans and mortgages that bear those companies’ names were actually sold to other collectors that then used Ascension’s services. CitiFinancial was a former division of Citibank and no longer exists.
A spokesperson for Capital One did not respond to a request for comment.
Diachenko said he came across the server, which he said lacked authentication, using a public search engine that indexes connected computer systems. It’s not clear how long the data was openly visible any other unauthorized people accessed it.
“The public configuration allows the possibility of cybercriminals to manage the entire system with full administrative privileges,” Diachenko said. “Although companies acted fast to secure their data it is unclear how long it may have been publicly available or who else might have accessed the millions of records containing [personally identifiable information].”