For the third time in as many days, a large cache of sensitive data has been reportedly exposed due to a misconfigured Elasticsearch server. This time, a whopping 24 million financial and banking records are said to be involved.
On Wednesday, independent security researcher Bob Diachenko disclosed publicly that more than a decade’s worth of credit and mortgage records, many linked to some of the country’s largest banks and lenders, was temporarily exposed online. Many of the records include personal details, he said, such as Social Security numbers and home addresses.
He described the cache as a “gold mine” for cyber criminals looking to file false tax returns or get loans or credit cards using stolen identities.
Diachenko estimated that 51 GB of data had been left publicly exposed due an unprotected Elasticsearc server. Elasticsearch, which is not itself responsible for the leak, is a popular enterprise search application used by companies to help visualise internal data.
Diachenko also wrote that he’d teamed up with TechCrunch reporter Zack Whittaker to uncover the cache’s origin. It was eventually traced back to a Fort Worth-based company known as Ascension Data & Analytics.
A lawyer for the company, which is run by Texas investment manager Rocktop Partners, told TechCrunch that the server was shutdown after Diachenko notified it of the problem and that it has notified law enforcement and “technology partners”.
As for the mortgage institutions involved, TechCrunch reported:
From our review, it was clear that the documents pertain to loans and mortgages and other correspondence from several of the major financial and lending institutions dating as far back as 2008, if not longer, including CitiFinancial, a now-defunct lending finance arm of Citigroup, files from HSBC Life Insurance, Wells Fargo, CapitalOne and some U.S. federal departments, including the Department of Housing and Urban Development.
Diachenko stressed that, while 24 million records are involved, in some cases, the same document can produce multiple records. Moreover, it’s still unclear how many people are affected by the leak.
Earlier this week, ZDNet reported that an Elasticsearch server had been left exposed online without a password, revealing details about over 108 million bets managed by an online casino group.
Diachenko also reported another Elasticsearch-involved breach at AIESEC, which describes itself as “the world’s largest youth-run organisation.”