Security researchers say a Canadian mortgage brokerage database containing personal information on thousands of people has been left open online.
Access to the database belonging to and based in Toronto 8Twelve Financial Technologies It was quickly restricted after the company was tipped off by researcher Jeremy Folwer and staff of Website Planet, which provides resources for website builders.
According to a report released today, The database contains 717,814 records on thousands of Canadian residents, with mortgage loan related information including names, phone numbers, email addresses, physical addresses and more. The report says many of the records appear to be mortgage loan listings for people who want to buy a home, refinance, get a line of credit, or buy an investment property.
“We promptly served a notice of responsible disclosure, and 8Twelve acted quickly and professionally by restricting public access within hours of our discovery,” say the researchers.
ITWorldCanada Emailed 8Twelve Financial, Chief Marketing Officer, Rick McLaughlin requesting an interview with an official to explain how the accident occurred. No response has been received as of the time of publication of this news.
The company has two lines of business: mortgage-lending 8Twelve Mortgage, which, the company’s website says, negotiates with 65 lenders to find the best mortgage rates in Toronto’s Upstate New York area; and 8T Capital, which offers short-term loans.
This apparent breach of security controls is just the latest in a series of corporate databases found unprotected on the Internet. These misconfigured files are often uploaded to cloud storage sites like Amazon AWS, where creators put them cache or intend to do data analysis, and then forget to either password protect the files or make sure they aren’t connected to the public internet.
Blog by SecurityTrails vendor It is noted that some database fatalities involve the use of Elasticsearch, which is a database for storing and analyzing large amounts of data. Elasticsearch only binds to localhost by default, as the article notes, and is secure enough. But, he adds, to make Elasticsearch usable in an organization, database administrators often make the mistake of connecting Elasticsearch to the public network interface without a firewall.
A great tool for finding exposed databases is the Shodan search engine, which finds anything connected to the internet. As a 2017 article on databases exposed in Wired noted, If you want to find all MongoDB databases connected to the public Internet, just type “MongoDB” in Shodan. Not all databases found will contain sensitive personal information, but some may.
According to Website Planet, the database contained:
- 717,814 records. The database contained one folder named “Applicant” and five folders named “Application”;
- Applicants’ names, emails, work and home phone numbers, and cell numbers. Some records contained physical, state, or county addresses. Since most data can relate to a specific individual, the data in records may be considered Personally Identifiable Information (PII);
- In a random sample of 10,000 records, the term “e-mail” returned 18,382 results. Each record shown contains two email addresses; One belonging to the applicant accompanied by a corresponding one from the 8Twelve agent designated as lead. Almost all popular email services appeared in the data, notably Gmail (13,695 results) and Yahoo (3,406), along with Outlook, iCloud, AOL, and smaller numbers from several other email service providers.
- Mortgage leads from multiple Canadian provinces were collected into multiple folders marked as “Prod” (which we assume stands for “Production”). The logs seem to point to where the leads come from: Facebook ads, referral, website, etc. Campaign ID numbers were also listed in applicant files, which we may infer were for the purposes of internal tracking of sales and marketing effectiveness.
- Applicants self-submitted information about their financial situation, in the form of their credit score, bankruptcy, savings, finances, and other data to initiate the loan application process. For credit assessment purposes, mortgage agents may need to determine an applicant’s creditworthiness by disclosing the above financial information to an independent credit reporting agency or other source.
- The records also included 8 names of twelve employees, email addresses, and internal notes about the loan or lead, indicating whether or not the applicant deserved credit.
It is not known how long the unprotected database has been open on the Internet.