24 million home loan documents exposed to data security
A security interruption left millions of mortgage records exposed online without proper data protection, according to security researchers.
The cache of more than 24 million records contains sensitive borrower information, including social security numbers, tax data, mortgage origin and modification agreements and other information related to tens of thousands of loans dating back over a decade, according to a joint report by TechCrunch and security researcher Bob Diachenko.
"From our review, it was clear that the documents relate to loans and mortgages and other correspondence from several of the major financial and lending institutions that go back as far as 2008, if not anymore, including CitiFinancial, a present-day lending financing by Citigroup, files from HSBC Life Insurance, Wells Fargo, CapitalOne and some US federal departments, including the Department of Housing and Urban Development, "TechCrunch reported.
The exposed data consists mainly of digital discs created with optical character recognition software, technology that extracts information from physical documents and converts it to data that can be stored in databases and analyzed.
"[T] he leaked back to Ascension, a data and analytics company for the financial industry, based in Fort Worth, Texas," reported TechCrunch. "The company provides data analysis and portfolio assessment."
Researchers estimate that the database was exposed without password protection for at least two weeks before it was taken down, Diachenko wrote. It is unclear how many individuals' data was compromised and to what extent the information was captured by cyber criminals.
Ascension is owned by RockTop Partners, an Arlington, Texas-based alternative investment manager specializing in mortgage. A RockTop lawyer confirmed the incident to TechCrunch and attributed the due date to a vendor.
"On January 1[ads1]5, this provider learned of a server configuration error that could have exposed some mortgage-related documents," lawyer Sandy Campbell said in a statement to TechCrunch. "The vendor immediately quits the server in question and we are working with experts from third-party researchers to investigate the situation. We are also in regular contact with police investigators and technology partners as this study continues."