Incident Of The Week: Millions of Financial Records Exposed by Elasticsearch Database

More than 24 million financial records involving mortgages and credit reports from some of the country’s largest banks were breached when an Elasticsearch database was exposed – the third time this month that an open Elasticsearch server has been found.

The records contained highly sensitive personal information, including social security numbers, names, phone numbers, addresses and credit history. Independent security researcher Bob Diachenko disclosed that more than a decade’s worth of credit and mortgage records, many linked to some of the country’s largest banks and lenders, were temporarily exposed online. 

The database is believed to have been open for two weeks.

“This information would be a gold mine for cyber criminals who would have everything they need to steal identities, file false tax returns, get loans or credit cards,’’ Diachenko wrote.

His research of the database revealed “a massive amount of the documents referenced the CitiFinancial company,” and Diachenko said that after contacting the company earlier this month the data was secured on Jan. 15. The leak was ultimately traced to Texas-based data and analytics firm Ascension Data & Analytics, which provides data analysis and document management, according to TechCrunch.

One of the services Ascension provides is converting paper documents and handwritten notes into optical character recognition (OCR) files. It was these documents that were exposed, Diachenko wrote.

TechCrunch assisted Diachenko in researching the leak, and reported that “the documents pertain to loans and mortgages and other correspondence from several of the major financial and lending institutions dating as far back as 2008, if not longer, including CitiFinancial, a now-defunct lending finance arm of Citigroup, files from HSBC Life Insurance, Wells Fargo, CapitalOne and some U.S. federal departments, including the Department of Housing and Urban Development.”

Earlier this week, ZDNet reported that an Elasticsearch server had been left exposed online without a password, revealing details about more than 108 million bets managed by an online casino group.

On Jan. 11, Diachenko reported another data breach involving Elasticsearch at AIESEC, which describes itself as “the world’s largest youth-run organization.” That database contained around four million applications and also exposed sensitive information.  

Late last year, another Elasticsearch database was leaked on a database that wasn’t protected with a password, TechCrunch reported. It contained millions of SMS text messages.

For at least the second time now, Diachenko issued a warning that companies need to be proactive about data protection. A lack of authentication protocols allows the installation of malware or ransomware on Elasticsearch servers, he wrote.

“The public configuration allows the possibility of cybercriminals to manage the entire system with full administrative privileges,’’ Diachenko wrote. “Once the malware is in place criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.”