TechCrunch Security Editor, Zach Whitaker reported on January 23, 2019"… an Elasticsearch database running on a server was unprotected and may have spilled "more than 24 million financial and banking documents, representing tens of thousands of loans and mortgages from some of the biggest banks in the U.S.
Perhaps a good thing was that some of this data was considerably old dating back to 2008. Maybe older and items that aren’t evergreen could be obsolete. However, these days you can piece together lots of data points and link them back to eventually create an identity. The potentially valuable social engineering blob was found by an independent security researcher, Bob Diachenko. The information from the banks was apparently provided to a third party for optical character recognization and conversion of handwritten notes to digital format by a company in Texas who was in control of the server according to the article. Some of the information was over ten years old but included lots of juicy social engineering fodder including: “names, addresses, birth dates, Social Security numbers, and bank and checking account numbers, as well as details of loan agreements that include sensitive financial information, such as why the person is requesting the loan.”
“Some of the documents also note if a person has filed for bankruptcy and tax documents, including annual W-2 tax forms, which are [targets for scammers to claim false refunds”
The data format could prove to be a challenge to assemble into separate records but perhaps not an insurmountable obstacle for some smart database jockeys.
Only a few mortgage trade journals picked up the story. And the story says the database owners are in the process of reporting the incident. When reported, it’s likely to come back into the news possibly with more information.
Nothing changes except remain vigilant about social engineering and phishing threats. Phish your users regularly!
The TechCrunch story here: