A trove of more than 24 million financial and banking documents, representing tens of thousands of loans and mortgages from some of the biggest banks in the U.S., has been found online after a server security lapse, as reported in Techcrunch.
A severe security lapse has led to the leak of 24 million financial and banking documents https://t.co/F4WkJTsCLD
— TechCrunch (@TechCrunch) January 24, 2019
Experts Comments Below:
Ilia Kolochenko, CEO at High-Tech Bridge:
“Unprotected cloud storage and passwordless databases exposed online are unfortunately very widespread these days. Large organizations struggle to maintain petabytes of their data under control and inventory.
Numerous suppliers and partners may urgently need their data for various legitimate business purposes, but fail to maintain appropriate internal security controls. Third-party risk management is not a silver bullet either, as quite frequently access to data is time-sensitive and many companies are prone to close their eyes to some of the imperfections of the third-party security mechanisms. A large-scale scan of the Internet, will likely produce hundreds, if not thousands of similar databases with critical, sensitive and privileged data being hosted somewhere without any protection.
From a legal point of view, the companies whose negligence leads to data exposure may be liable for considerable financial penalties and/or face individual and even class action lawsuits. Security researchers who access and process the data should also be careful, as under certain circumstances they may break the criminal law and also expose themselves to other legal ramifications.”
Paul Bischoff, Privacy Advocate at Comparitech:
“If you’ve received a notification from your financial institution saying your details were involved in the breach, then you are at risk of identity theft. Go to annualcreditreport.com and get a free copy of your credit report. Check for any unfamiliar activity and follow up on anything suspicious. You’re allowed one free credit report per year. If you want something a little more vigilant, consider purchasing a subscription for an identity theft protection service. Freeze your credit if you can, but if that’s not an option, at least place a fraud alert on your report. Creditors will be forced to take extra steps to verify your identity when they pull your credit report to check it.
Tax season is coming up, so be ready for tax scams. Tax scams almost always rely on the scammer impersonating an authority figure, like your bank or the IRS. Leaked tax documents such as these allow the scammer to tailor their pitch to the victim and sound more convincing. Remember that the IRS almost always initiates contact over snail mail, not phone calls or email. They’ll let you pay how you want and won’t request payment in cryptocurrency, through money wire services, or in prepaid debit and gift cards. Never give up any payment or personal information before verifying the sender or caller’s identity. If you’re not sure, look up the number for the bank or IRS on Google and give them a call to ask what’s up.”
Javvad Malik, Security Advocate at AlienVault:
“This is a huge breach and comprises of two issues. The first being third party security. The data was given to a third party who didn’t secure it properly.
The second issue is that of misconfiguration. Unfortunately it’s a common issue that we see and an easy mistake to make. It’s why it’s important for companies to have assurance controls and checks in place to validate the right controls are consistently applied across the environments.”
Jonathan Deveaux, Head of Enterprise Data Protection at Comforte AG:
“Applied for a loan in the past 10 years? Then your personal data may have been exposed.
What’s unique about this cyber security leak, is that the data may have originated at major banks (Citi, HSBC, and Wells to name a few) but they didn’t expose the data. A company who obtains the data for analytical purposes (think Big Data and ML) is most likely the source. It was reported that their servers were misconfigured and there were no password requirements to access the data.
If the banks are securing personal data when taking the loan application, but handing the data off to another company *unprotected* then this is a major security gap. And even if the data is secured when given to a company for analytical purposes, the next step is to ensure the data stays protected while they analyze it.
One of the data elements exposed in the report was social security numbers. There’s really no useful reason why a SSN is needed for analysis. SSNs could have been masked or tokenized, while other data was used for analytical purposes.
Banks and other Fintech companies need to really understand how other parties will use the personal data they provide them. And maybe it’s time they stop working with companies who don’t do more to secure sensitive data.”
Colin Bastable, CEO at Lucy Security:
“When US lenders offload our mortgages and loans to third parties, they offload the data too, and wash their hands of all responsibility. In its drive for profitability, the USfinancial industry has outsourced many services to third party service providers, and at the heart of this fragmented industry is consumer data. Our Data.
The relentless drive for greater margins comes at the expense of consumer data protection: our loans and our data are commodities to be traded, whereas consumers are still under the illusion that they have a relationship with their banks.
Dumpster Diving is bad enough – we often read about confidential papers being dumped in the trash when financial offices close.
In this case, the data has been re–digitized from paper records and mismanaged in a now notorious database known for great data analysis but lousy security. That the database admins forgot to secure the data with a password should shock us, but it doesn’t.
US consumers urgently need Congress to give consumers lifetime rights over their data, so that every organization taking or handling consumer data has a lifetime liability in the case of any data breach.”
Ruchika Mishra, Director of Products and Solutions at Balbix:
“Armed with exposed Social Security numbers, names, addresses, credit history, phone numbers, W2 forms and other sensitive information, a malicious actor can level significant damage against individuals affected by this breach. Actions could range from identity theft, filing false tax returns, applying for loans or credit cards in a victim’s name—the list goes on. This exposure is another unfortunate example of a lack of authentication on an Elasticsearch server leading to a massive data leak like AIESEC’s recent breach of 4 million intern applications and last year’s Voxox misconfiguration which led to the exposure of 26 million 2FA codes, password reset links and delivery tracking details.
Misconfigurations like this are, unfortunately, a dime a dozen. Organizations are tasked with the hefty burden of continuously monitoring all assets and more than 200 potential attack vectors to detect vulnerabilities. Through this process, companies are likely to detect thousands of vulnerabilities—far too many to tackle all at once. The key to preventing a breach as devastating as Ascension’s is to leverage security tools that employ artificial intelligence and machine learning that analyze the tens of thousands of data signals to prioritize which vulnerabilities to fix first, based on risk and business criticality. Obviously in this case, a database containing such sensitive information is critical to the business and addressing any vulnerabilities in its security should have been highly prioritized. Organizations must adopt advanced security platforms to proactively manage risk and avoid breaches instead of reacting to a security incident after it occurs.”
George Wrenn, CEO at CyberSaint Security:
“This incident is a reminder that it is critical that we set high expectations for security and data protection when dealing with sensitive information. Organizations need to understand their gaps, and identify areas to build on their security posture at all times. This is especially true in cases where sensitive and personal information could be exposed.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.