A Canadian mortgage broker’s database containing personal information on thousands of people was left open on the internet, according to security researchers.
Access to the database belonging to Toronto-based 8Twelve Financial Technologies was quickly restricted after the company was notified by researcher Jeremy Folwer and the staff of Website Planet, which offers resources for website builders.
According to a report issued today, the database has 717,814 records on thousands of Canadian residents, with home mortgage loan-related information including names, phone numbers, email addresses, physical addresses, and more. Many of the records appeared to be mortgage leads of people who want to buy a house, refinance, obtain an equity line of credit, or purchase an investment property, the report says.
“We immediately sent a responsible disclosure notice and 8Twelve acted fast and professionally by restricting public access within hours of our discovery,” the researchers say.
In an interview 8Twelve Financial president and CIO Akber Abbas said a staffer made a mistake in December when shifting data to an AWS bucket. “This incident happened when one of our report analysts was working on a migration and accidentally left one of the ports open. It was quickly identified through our penetration testing. No data was removed from our server. That person was subsequently let go from the organization. We have solutions now in place to protect us moving forward.”
As for the researchers who found the blunder, Abbas said “we realized it ourselves before they notified us.”
Abbas said the company’s responses included working with security consultants to close any gaps.
Asked if the incident is embarrassing, he replied, “Yeah. You never want to be in this type of position. The reality of the security landscape is things are changing very quickly. We have since [the incident] put in a number of additional controls in the last four weeks above what we do … to be as proactive as we can.”
Abbas didn’t know if his company has notified a regulatory body about the breach of security controls.
The company has two lines of business: 8Twelve Mortgage for mortgage lending, which, the company’s site says, negotiates with 65 lenders to find the best mortgage rates in the North York region of Toronto; and 8T Capital, which offers short-term loans.
This apparent breach of security controls is just the latest in a string of corporate databases found unprotected on the internet. Often these wrongly-configured files are uploaded to cloud storage sites like Amazon AWS, where the creators put them temporarily or intend to do data analysis, and then forget to either password-protect the files or to ensure they aren’t connected to the public Internet.
A blog by vendor SecurityTrails notes that some of the most common database blunders involve the use of Elasticsearch, a database for storing and analyzing large amounts of data. Elasticsearch by default binds to localhost only, the article notes, which is secure enough. But, it adds, to make Elasticsearch usable in an organization, database administrators often make the mistake of binding Elasticsearch to the public network interface without firewalling it.
A great tool for finding exposed databases is the Shodan search engine, which finds anything connected to the internet. As a 2017 article on exposed databases in Wired noted, if you want to find all the MongoDB databases connected to the public internet, just type “MongoDB” into Shodan. Not all of the databases found will have sensitive personal information, but some might.
According to Website Planet, the database contained:
- 717,814 records. The database contained one folder named “applicant” and five folders named “application”;
- applicant names, emails, phone number for work, home, and cell. Some records contained physical addresses, state or province. As most of the data could relate to a specific individual, data found in the records could be considered Personally Identifiable Information (PII);
- in a random sampling of 10,000 records, the term “email” returned 18,382 results. Each record displayed contained two email addresses; one belonging to the applicant accompanied by a corresponding one from the 8Twelve agent who was assigned the lead. Nearly all common email services appeared in the data, notably Gmail (13,695 results), and Yahoo (3,406), along with Outlook, iCloud, AOL, and smaller numbers of multiple other email providers.
- mortgage leads from multiple Canadian provinces were collected in multiple folders marked as “Prod” (which we assume stands for “production”). The records appeared to indicate where the leads came from: Facebook ads, referral, website, etc. Campaign ID numbers were also listed in the applicant files, which we may infer were for the purposes of internal tracking of sales and marketing effectiveness.
- applicants’ self-submitted information about their own financial standing, in the form of their credit scores, bankruptcy, savings, finances, and other data to start the loan application process. For credit evaluation purposes, mortgage agents may need to determine an applicant’s creditworthiness by disclosing the aforementioned financial information to an independent credit reporting agency or another source.
- records also included 8 Twelve employee names, email addresses, and internal notes about the prospective loan or customer, indicating whether an applicant was credit-worthy or not.
(This story has been updated from the original with the addition of comments from Akber Abbas)