A server belonging to ‘bank of converted documents' exposed financial data

Following a server security lapse, more than 24 million financial and banking documents, from some of the biggest banks in the U.S., were exposed online. The vulnerable server ran an Elasticsearch database and has had highly sensitive financial and tax documents including loan and mortgage agreements, repayment schedules, and more.  

The flaw was that the server wasn’t protected with a password, for nearly two weeks, allowing anyone to access and read the trove of sensitive data. The database was shut down immediately following a warning issued by independent security researcher Bob Diachenko who discovered the breach. 

“These documents contained highly sensitive data, such as Social Security numbers, names, phones, addresses, credit history, and other details… a gold mine for cybercriminals who would have everything they need to steal identities, file false tax returns, and get loans or credit cards,” Diachenko told a popular news publisher who further investigated on the breach.

The leak was traced back to Ascension, a Texas company which provided data analysis and portfolio valuation services to the financial industry. Ascension also converts paper documents and handwritten notes into computer-readable files – known as OCR. The flawed server owned by Ascension contained data that belonged to Citigroup’s now-defunct CitiFinancial subsidiary, HSBC Life Insurance, Wells Fargo, CapitalOne and federal agencies including the Department of Housing and Urban Development.

Sandy Campbell, General Counsel at Rocktop Partners – Ascension’s parent company, confirmed the breach stating, “On Jan. 15, this vendor learned of a server configuration error that may have led to the exposure of some mortgage-related documents… We are working with third-party forensics experts to investigate the situation. We are also in regular contact with law enforcement investigators and technology partners as this investigation proceeds.”