The massive data breach involving more than 24 million mortgage and banking documents just got much, much worse as an investigation unearthed a separate unprotected server that provided access to some of the original documents to anyone who happened upon it online.
The details of the expanded breach come again from TechCrunch, which has done yeoman’s work on exposing this incredible breach in mortgage and banking security.
In the original breach, digital files were located on an unprotected server that contained the information from 24 million mortgage and banking documents, but the data was scraped from the original documents using OCR, a computer process that converts paper documents into electronic documents.
The original mortgage documents were converted into digital files that were not easily readable, but people’s highly sensitive personal information, including names, addresses, dates of birth, Social Security numbers, and other information was accessible in the database for at least two weeks.
But Thursday, the problem worsened, as TechCrunch now reports that an investigation found a separate unprotected and exposed server that housed some of the original mortgage and banking documents themselves, including mortgage applications and W-9 forms.
From the latest TechCrunch report:
Independent security researcher Bob Diachenko and TechCrunch traced the source of the leaking database to a Texas-based data and analytics company, Ascension. When reached, the company said that one of its vendors, OpticsML, a New York-based document management startup, had mishandled the data and was to blame for the data leak.
It turns out that data was exposed again — but this time, it was the original documents.
Diachenko found the second trove of data in a separate exposed Amazon S3 storage server, which too was not protected with a password. Anyone who went to an easy-to-guess web address in their web browser could have accessed the storage server and see — and download — the files stored inside.
According to the report, the database contained 23,000 pages of PDF documents that contained borrowers’ highly sensitive personal information, the type of information that they would typically provide for obtaining a mortgage.
It’s unknown at this time how long the documents were left exposed or who may have accessed them during that time.
For more on the story, click here.