Massive mortgage data breach gets worse

Further investigation found yet another breach, which exposed thousands more sensitive mortgage documents

Massive mortgage data breach gets worse

A massive data breach that exposed vital information on tens of thousands of mortgages is even worse than initially suspected, according to a new report.

More than 24 million financial documents – including vital information on tens of thousands of mortgages from some of the nation’s largest banks – were recently exposed after a server security lapse, according to an investigation by TechCrunch. The server had more than 10 years’ worth of data, including mortgage agreements and repayment schedules, according to TechCrunch. But the server wasn’t password-protected, meaning anyone could access the data.

The database was only believed to have been exposed for two weeks, but that was long enough for an independent security research to find the data. While it wasn’t immediately clear who owned the server, TechCrunch was able to trace it to Ascension, a Texas-based data and analytics company. Ascension told TechCrunch that one of its vendors, New York-based OpticsML, had mishandled data and was at fault for the breach.

TechCrunch and independent security researcher Bob Diachenko traced the breach back to OpticsML, and found that even more mortgage data was exposed – this time, original documents. According to TechCrunch, Diachenko found a “second trove” of data in a separate server – once again, not protected by a password.

“Anyone who went to an easy-to-guess web address in their web browser could have accessed the storage server to see – and download – the files stores inside,” TechCrunch reported.

The server contained 23,000 pages of PDF documents, including sensitive mortgage documents, W-2 forms, and documents from government agencies. Many documents included sensitive information such as addresses and Social Security numbers, TechCrunch reported.

Diachenko told TechCrunch he was “very surprised” that he was able to access the data, which was stored in an Amazon server. Amazon servers are set to “private” by default, which means someone would have to have made a conscious decision to set its permissions to public, TechCrunch said.

When told about the breach by TechCrunch, OpticsML set the server to private. A representative told the publication that people affected by the breach would be notified. But Diachenko warned that there was no way to tell how many times the information had been accessed before the breach was discovered.