A security lapse left millions of mortgage records exposed online without proper data protections, according to security researchers.
The cache of more than 24 million records included sensitive borrower information including Social Security numbers, tax data, mortgage origination and modification agreements and other information tied to tens of thousands of loans going back over a decade, according to a joint report by TechCrunch and security researcher Bob Diachenko.
“From our review, it was clear that the documents pertain to loans and mortgages and other correspondence from several of the major financial and lending institutions dating as far back as 2008, if not longer, including CitiFinancial, a now-defunct lending finance arm of Citigroup, files from HSBC Life Insurance, Wells Fargo, CapitalOne and some U.S. federal departments, including the Department of Housing and Urban Development,” TechCrunch reported.
The exposed data primarily consisted of digital records created with optical character recognition software, technology that extracts information from physical documents and converts it into data that can be stored in databases and analyzed.
“[T]he leak was traced back to Ascension, a data and analytics company for the financial industry, based in Fort Worth, Texas,” TechCrunch reported. “The company provides data analysis and portfolio valuations.”
Researchers estimate the database was exposed without password protection for at least two weeks before it was taken down, Diachenko wrote. It’s unclear how many individuals’ data was compromised and to what extent, if any, the information was intercepted by cybercriminals.
Ascension is owned by RockTop Partners, an Arlington, Texas-based alternative investment manager that specializes in mortgages. A RockTop attorney confirmed the incident to TechCrunch and attributed the lapse to a vendor.
“On January 15, this vendor learned of a server configuration error that may have led to exposure of some mortgage-related documents,” the lawyer, Sandy Campbell, said in a statement to TechCrunch. “The vendor immediately shut down the server in question, and we are working with third-party forensics experts to investigate the situation. We are also in regular contact with law enforcement investigators and technology partners as this investigation proceeds.”