Massive 24-Million Record Financial & Mortgage Leak With OpticsML’s S3 Under A Microscope

January 2019 does not lack any grand scale cybersecurity news, the year just got started and we’re hearing data breaches, virus infections, and stolen data issues regularly as we reported here in hackercombat.com. This time, the news about a record of at least 24 million loans and mortgages from US-based banks were affected by the biggest breach so far for 2019. The decade-old running Elasticsearch database, used for storing financial and banking documents connected with mortgage payments were exposed to unknown 3rd parties.

The saddest part is the database was not locked by a password, hence the leak offered the unknown 3rd parties full-scale access to everything it contains. These include tax documents, loan-related data and other personal information that covers the full financial history of the victims.

“On January 15, this vendor learned of a server configuration error that may have led to the exposure of some mortgage-related documents. The vendor immediately shut down the server in question, and we are working with third-party forensics experts to investigate the situation. We are also in regular contact with law enforcement investigators and technology partners as this investigation proceeds,” explained Sandy Campbell, General Counsel of Rocktop Partners, one of the lending firms affected by the data breach. The company alone holds 46,000+ loans for their customers to the tune of $4.4 billion.

The breached network storage server came a vendor named OpticsML, which no longer has a working website at the time of this writing. In addition to this, OpticsML is also linked to another breached Amazon S3 storage server, also not protected by a password like the first. The leak could have been prevented if the storage servers were secured with a password.

“These documents contained highly sensitive data, such as Social Security numbers, names, phones, addresses, credit history and other details which are usually part of a mortgage or credit report. This information would be a gold mine for cybercriminals who would have everything they need to steal identities, file false tax returns, get loans or credit cards,” emphasized Bob Diachenko, a cybersecurity researcher.

Literally, anyone that could have seen the password-less S3 Storage Server online can just download any files they want from it. The S3 bucket itself contained PDF files numbering more than 23,000 pages, measuring 1.3 GB. Citi is one of the lending banks with data stored on the S3 bucket, and their press release said: “Citi recently became aware that a third party, with no connection to Citi, was storing certain mortgage origination and modification documents in an unsecured online environment. These documents contained information about current or former Citi customers, as well as customers from other financial institutions. Citi notified law enforcement, initiated a thorough forensic investigation and worked quickly to ensure the information could no longer be publicly accessed. The third party is a vendor to a company that had purchased the loans and we have found no evidence that Citi’s systems were compromised.”

This is still a developing story, make sure to check out Hackercombat.com for future updates regarding this data breach case.