A Canadian mortgage broker’s database containing the personal information of thousands of people has been exposed on the Internet, according to security researchers.
Access to the database, owned by Toronto-based 8Twelve Financial Technologies, was quickly restricted after the company was alerted by researcher Jeremy Folver and staff at Website Planet, which offers resources for website builders.
According to a report released today, the database has 717,814 records on thousands of Canadians with home mortgage-related information, including names, phone numbers, email addresses, physical addresses and more. Many of the postings are mortgage connections from people looking to buy a home, refinance, obtain a home equity line of credit or buy an investment property, the report said.
“We immediately sent out a responsible disclosure notice, and 8Twelve acted quickly and professionally, limiting public access within hours of our discovery,” the researchers said.
ITWorldCanada: emailed Rick McLaughlin, chief marketing officer of 8Twelve Financial, requesting an interview with the official to explain how the incident occurred. No response was received at press time.
The company has two lines of business. 8Twelve Mortgages for mortgage lending, which, according to the company’s website, negotiates with 65 lenders to find the best mortgage rates in Toronto’s North York area; and 8T Capital, which offers short-term loans.
This apparent breach of security controls is the latest in a series of corporate databases found unprotected on the Internet. Often these misconfigured files are uploaded to cloud storage sites like Amazon AWS, where creators temporarily host them or intend to do data analysis, then forget to either password protect the files or ensure they are not publicly accessible. Internet.
The vendor’s SecurityTrails blog notes that some of the most common database mistakes involve using Elasticsearch, a database to store and analyze large amounts of data. Elasticsearch only connects to localhost by default, the article notes, which is safe enough. But, it adds, to make Elasticsearch usable across an organization, database administrators often make the mistake of connecting Elasticsearch to the public network interface without wrapping it.
A great tool for finding exposed databases is the Shodan search engine, which finds anything connected to the Internet. As mentioned in a 2017 article on open databases in Wired, if you want to find all MongoDB databases connected to the public Internet, just type “MongoDB” into Shodan. Not all repositories found will contain sensitive personal information, but some may.
According to Website Planet, the database contained:
- 717,814 records. The database contained one folder named “applicant” and five folders named “application”;
- names of applicants, e-mail emails, work, home and mobile number. Some records contained physical addresses, a state or a province. Because most data may relate to a specific individual, the data found in the records may be considered Personally Identifiable Information (PII);
- In a random sample of 10,000 records, the term “email” returned 18,382 results. Each post displayed contained two email addresses. one belonging to the applicant was accompanied by the appropriate agent of 8Twelve, whose chief was appointed. Almost all common email services appeared in the data, particularly Gmail (13,695 results) and Yahoo (3,406), along with Outlook, iCloud, AOL and several other email providers.
- Mortgages from several Canadian provinces have been collected in multiple folders labeled “Prod” (which we assume stands for “production”). The records show where the leads came from: Facebook ad, referral, website, etc. Applicant files also contain campaign ID numbers, which we can infer are for internal tracking of sales and marketing performance.
- information from applicants about their own financial situation in the form of their credit scores, bankruptcy, savings, finances and other data to start the loan application process. For credit evaluation purposes, mortgage brokers may need to determine the applicant’s creditworthiness by providing the aforementioned financial information to an independent credit reporting agency or other source.
- records also included 8 Twelve employee names, e-mails. mailing addresses and internal notes on a prospective loan or customer indicating whether or not the applicant is creditworthy.
It is unknown how long the unprotected database has been open to the Internet.