An unprotected Elasticsearch server exposed more than 24 million financial and banking documents online. According to the security researcher Bob Diachenko and online publisher TechCrunch, the exposed server contained highly sensitive data of thousands of individuals who took mortgages over the past decade with the U.S. banks and other financial institutions.
Bob Diachenko stated that he identified the unprotected server on January 10, 2019, which contained 24,349,524 credit and mortgages reports in 51 GB size. The server was taken offline and the data was secured on January 15, 2019, after Diachenko reported the incident to the server’s vendor.
The insecure server allowed open access to the documents that contained loan and mortgage agreements, repayment schedules, financial and tax documents, names, addresses, birth dates, social security numbers, and other sensitive information.
“These documents contained highly sensitive data, such as social security numbers, names, phones, addresses, credit history, and other details which are usually part of a mortgage or credit report. This information would be a gold mine for cyber criminals who would have everything they need to steal identities, file false tax returns, get loans or credit cards,” Bob Diachenko said in a statement.
“It is hard to tell how many people were actually affected in the breach. Given the sensitivity of data, I have immediately initiated a responsible disclosure protocol to privately alert the alleged owner of the Elasticsearch cluster,” Diachenko added.
Also, Diachenko found another data leak from a second storage server Amazon S3, which contains the original documents around 23,000 pages in PDF format in 1.3 GB size from the first exposed Elasticsearch server. The exposed documents are from banks and financial institutions across the U.S., including loans and mortgage agreements, W-2 tax forms, loan repayment schedules from the U.S. Department of Housing and Urban Development. The Amazon server was taken down in an hour after reported the issue, Diachenko stated.
A couple of data leaks occurred due to ElasticSearch servers in recent times. In November 2018, the Elasticsearch database exposed personal details of 57 million U.S. citizens for almost two weeks. Bob Diachenko discovered that the server was left visible online without a password exposing customers’ personal data. In a similar incident, a database from the same vendor exposed the real-time location data for over 11,000 Indian buses online over three weeks.
