A Canadian mortgage broker’s database containing the personal information of thousands of people was left open on the Internet, according to security researchers.
Access to related to Toronto based databases 8Twelve Financial Technologies The company was quickly banned after being notified by researcher Jeremy Folver and staff at Website Planet, which provides resources for website builders.
According to a report released today, The database contains 717,814 records on thousands of Canadian residents, including home mortgage loan related information, including names, phone numbers, email addresses, physical addresses and more. The report notes that many of the records appear to be mortgage leads from people looking to buy a home, refinance, obtain an equity line of credit or purchase an investment property.
“We immediately sent a responsible disclosure notice and 8Twelve acted swiftly and professionally by restricting public access within hours of our discovery,” the researchers say.
In an interview, Akbar Abbas, 8Twelve’s financial president and CIO, said an employee made a mistake in December while moving data to an AWS bucket. “This incident occurred when one of our report analysts was working on a migration and accidentally left one of the ports open. This was quickly detected through our penetration testing. No data was removed from our servers . That person was later let go from the organization. We now have solutions in place to keep us from moving forward.”
As for the researchers who discovered the glitch, Abbas said, “We realized it ourselves before they informed us.”
Abbas said the company’s responses included working with security consultants to address any deficiencies.
When asked if the incident was embarrassing, he replied, “Yes. You never want to be in this type of situation. The reality of the security scenario is that things are changing very rapidly. We have since [the incident] The last four weeks put a lot of extra control over what we do… to be as active as we can.
Abbas did not know whether his company had informed the regulatory body about the breach of security controls.
The company has two lines of business: 8Twelve Mortgage Lending, which, the company’s site says, negotiates with 65 lenders to find the best mortgage rates in Toronto’s North York area; and 8T Capital, which provides short-term loans.
This apparent breach of security controls is the latest in a string of corporate databases found to be vulnerable on the Internet. Often these misconfigured files are uploaded to cloud storage sites like Amazon AWS, where the makers put them temporarily or intend to perform data analysis and then forget to password-protect the files or make sure they’re secure. It is known that they are not connected to the public Internet. ,
A blog by vendor SecurityTrails Note that some of the most common database blunders involve the use of Elasticsearch, a database for storing and analyzing large amounts of data. Elasticsearch only binds to localhost by default, the article notes, which is secure enough. But, it adds, to make Elasticsearch usable in an organization, database administrators often make the mistake of binding Elasticsearch to the public network interface without firewalling it.
A great tool for searching exposed databases is the Shodan search engine, which searches the Internet for anything connected. As noted in a 2017 article on the exposed database in Wired, If you want to find all MongoDB databases connected to the public Internet, just type “MongoDB” in Shodan. Not all databases found will contain sensitive personal information, but some may.
According to Website Planet, the database includes:
- 717,814 records. The database contained one folder named “applicants” and five folders named “applications”;
- Applicant’s name, email, phone number for work, home and cell. Some records included physical addresses, states or provinces. Since much of the data may be related to a specific individual, data found in records may be considered Personally Identifiable Information (PII);
- In a random sample of 10,000 records, the term “email” returned 18,382 results. Each record displayed has two email addresses; One related to the applicant with one related to the 8Twelve agent to whom the lead was assigned. Nearly all common email services appeared in the data, notably Gmail (13,695 results), and Yahoo (3,406), with smaller numbers from Outlook, iCloud, AOL and several other email providers.
- Mortgage leads from several Canadian provinces were collected in several folders marked “Prod” (which we assume stands for “Production”). The records seem to indicate where the leads came from: Facebook ads, referrals, website, etc. Campaign ID numbers were also listed in the applicant files, which we can infer for purposes of internal tracking of sales and marketing effectiveness.
- Self-submitted information about applicants’ own financial status in the form of their credit scores, bankruptcy, savings, finances and other data to start the loan application process. For credit evaluation purposes, mortgage agents may be required to determine the applicant’s creditworthiness by disclosing the above financial information to an independent credit reporting agency or other source.
- The records also included 8Twelve employees’ names, email addresses, and internal notes about the potential loan or customer, indicating whether the applicant was credit-worthy.
(This story has been updated from the original with comments from Akbar Abbas)