News Insights: Millions of bank loan and mortgage documents have leaked online

Millions of bank loan and mortgage documents have leaked online

Millions of bank loan and mortgage documents have leaked online

A trove of more than 24 million financial and banking documents, representing tens of thousands of loans and mortgages from some of the biggest banks in the U.S., has been found online after a server security lapse. The server, running an Elasticsearch database, had more than a decade’s worth…



News Insights:

According to Colin Bastable, CEO, Lucy Security:

“When US lenders offload our mortgages and loans to third parties, they offload the data too, and wash their hands of all responsibility. In its drive for profitability, the US financial industry has outsourced many services to third party service providers, and at the heart of this fragmented industry is consumer data. Our Data.

The relentless drive for greater margins comes at the expense of consumer data protection: our loans and our data are commodities to be traded, whereas consumers are still under the illusion that they have a relationship with their banks.

Dumpster Diving is bad enough – we often read about confidential papers being dumped in the trash when financial offices close.

In this case, the data has been re–digitized from paper records and mismanaged in a now notorious database known for great data analysis but lousy security. That the database admins forgot to secure the data with a password should shock us, but it doesn’t.

US consumers urgently need Congress to give consumers lifetime rights over their data, so that every organization taking or handling consumer data has a lifetime liability in the case of any data breach.”


According to George Wrenn, CEO, CyberSaint Security:

“This incident is a reminder that it is critical that we set high expectations for security and data protection when dealing with sensitive information. Organizations need to understand their gaps, and identify areas to build on their security posture at all times. This is especially true in cases where sensitive and personal information could be exposed.”


According to Tim Erlin, VP, product management and strategy at Tripwire:

“While sophisticated attacks may grab headlines, these types of misconfigurations can definitely be as impactful to the bottom line, if not more. This wasn’t a sophisticated attack by a well-funded nation-state adversary. It was a misconfiguration, a mistake. Organizations need to be able to detect and remediate misconfigurations, period.

“This is highly sensitive data that was exposed to anyone willing to look for it.

“Moving data and applications to the cloud doesn’t magically absolve an organization of its security responsibilities.”