Poor practices expose 24 million financial records

Security researcher Bob Diachenko has discovered more than 24 million financial and banking records that were available online without any password protection.

The data comprised banking and financial documents relating to tens of thousands of loans and mortgages over a period of about 10 years from some of the biggest US banks, including Wells Fargo and CapitalOne.

Other data was from CitiFinancial, a defunct lending finance arm of Citigroup, HSBC Life Insurance and some US federal departments.

The records were stored in an ElasticSearch cluster which contained 51GB of what appeared to be OCR (optical character recognition) credit and mortgages reports, Diachenko said in a blog post.

“The documents contained highly sensitive data, such as social security numbers, names, phones, addresses, credit history and other details which are usually part of a mortgage or credit report,” he said.

“This information would be a goldmine for cyber criminals, who would have everything they need to steal identities, file false tax returns, get loans or credit cards.”

The exposed data was eventually traced to a data and analytics company called Ascension in Fort Worth, Texas, with the help of TechCrunch, which first reported Diachenko’s findings.

According to parent company Rocktop Partners, Ascension shut down the server in question after learning of a “server configuration error” that “may have led to exposure of some mortgage-related documents”. The company also said an investigation by third-party forensics experts was under way and that they were in contact with law enforcement investigators and technology partners.

Ilia Kolochenko, CEO of web security company High-Tech Bridge, said unprotected cloud storage and passwordless databases exposed online are widespread.

“Large organisations struggle to maintain petabytes of their data under control and inventory,” he said. “Numerous suppliers and partners may urgently need their data for various legitimate business purposes, but fail to maintain appropriate internal security controls.”

Third-party risk management is not a silver bullet either, said Kolochenko. “Quite frequently, access to data is time-sensitive and many companies are prone to close their eyes to some of the imperfections of the third-party security mechanisms,” he said.

“A large-scale scan of the internet will likely produce hundreds, if not thousands of similar databases with critical, sensitive and privileged data being hosted somewhere without any protection.”

From a legal point of view, said Kolochenko, the companies whose negligence leads to data exposure may be liable for considerable financial penalties and/or face individual and even class action lawsuits.

“Security researchers who access and process the data should also be careful, as under certain circumstances they may break the criminal law and also expose themselves to other legal ramifications,” he said.

To fight the proliferation of lost data, Kolochenko said High-Tech Bridge offers a free service called ImmuniWeb Discovery to help organisations identify all external applications, databases and unprotected cloud storage.

Todd Peterson, IAM evangelist at security firm One Identity, said companies such as Ascension have a responsibility to process and manage highly valuable financial data in a secure way.

“Leaving the server exposed and without a password demonstrates such a serious vulnerability in their corporate system that could lead to any number of instances of identity theft and fraud,” he said.

To prevent this kind of data exposure from happening again, Peterson said organisations should follow these core principles:

• Use multifactor authentication, especially for superuser accounts  and privileged accounts.
• Educate staff on cyber security to protect data assets.
• Take steps to protect the most valuable assets, such as implementing privileged access management.
• Follow good governance practice to ensure the right people have the right access to the right stuff.

Jonathan Deveaux,  head of enterprise data protection at Comforte, said that if banks are securing personal data when taking loan applications, but then handing the data off to another company unprotected, then this is a major security gap. 

“Even if the data is secured when given to a company for analytical purposes, the next step is to ensure the data stays protected while they analyse it,” said Deveaux.

He pointed out that one of the data elements exposed in the report was social security numbers, but there is really no useful reason why those numbers are needed for analysis, which means they could have been masked or tokenised while other data was used for analytical purposes.

“Banks and other FinTech companies need to really understand how other parties will use the personal data they provide them,” said Deveaux. “Maybe it’s time they stopped working with companies that don’t do more to secure sensitive data.”

Tim Erlin, vice-president at security firm Tripwire, said this case underlines the importance of organisations being able to detect and remediate misconfigurations.

“This is highly sensitive data that was exposed to anyone willing to look for it,” he said. “Moving data and applications to the cloud doesn’t magically absolve an organisation of its security responsibilities.”