Breach, Data Security

24 million credit and mortgage records exposed on Elasticsearch database

An open Elasticsearch database has again been found this time exposing 24.3 million mortgage and credit reports.

Independent cybersecurity researcher Bob Diachenko said he found the 51GB of optical character recognition recorded pieces data earlier this month using public search engines like Shodan and Censys. The records contained very sensitive PII including Social Security numbers, names, phones, addresses, credit history, and other details which are usually part of a mortgage or credit report.

“This information would be a gold mine for cybercriminals who would have everything they need to steal identities, file false tax returns, get loans or credit cards,” Diachenko wrote.

This is the third time this month that an open Elasticsearch database has been found. Earlier four million intern applications from the youth group AIESEC, 108 million gambling records from several online casinos and millions of calls and texts from Voipo were found by researchers.

Since many of the records indicated they were from CitiFinancial, Diachenko said he contacted that firm’s disclosure team on Jan. 10 explaining what was found. Citi returned his note the next day and he was able to get in touch with a Citi representative resulting in the files being secured as of January 15.

The financial firm did not send along additional details, Diachenko said, other than noting the information involved had been in the hands of a third party. However, a deeper dive conducted by Diachenko along with investigative partner TechCrunch revealed the third-party to be the financial services company Ascension Data & Analytics. Ascension’s website indicates that the company does handle document management with OCR.

Jake Olcott, a vice president at BitSight, said that in this case a major financial institution issued loans based on personal data provided to the banks then sold the loans to a third-party, who then used Ascension Analytics to perform analysis on the loans.

“While a company like Citi arguably did nothing wrong here, this is an example of a financial organization that is currently experiencing some reputational repercussions due to a fourth-party cyber issue. It is becoming increasingly critical for organizations to understand and manage their fourth-party cyber risk,” Olcott said.

Colin Bastable, CEO of Lucy Security, added companies like Ascension are used to help boost profit margins by offloading this type of work without enough effort being made to ensure they are secure by either the original data owner or the third party.

"When U.S. lenders offload our mortgages and loans to third parties, they offload the data too, and wash their hands of all responsibility. In its drive for profitability, the US financial industry has outsourced many services to third party service providers, and at the heart of this fragmented industry is consumer data,” he told SC Media.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.