A Canadian mortgage broker’s database containing the personal information of thousands of people has been exposed online, according to security researchers.
Access to a database owned by Toronto-based 8Twelve Financial Technologies was briefly restricted after the company was notified by researcher Jeremy Folwer and staff at Website Planet, which offers resources for website builders.
According to a report released today, the database contains names, phone numbers, email addresses, physical addresses, and more. including 717,814 records on thousands of Canadian residents with home mortgage loan information. Many of the notes appear to be mortgage loans from people looking to buy a home, refinance, get a home equity loan or buy an investment property, the report says.
“We immediately issued a responsible disclosure notice, and 8Twelve acted quickly and professionally by restricting public access within hours of our discovery,” the researchers said.
ITWorldCanada Rick McLaughlin, chief marketing officer of 8Twelve Financial, requested an interview with an official to explain how the incident occurred. No response was given to the press.
The company has two lines of business: For mortgage lending, 8Twelve Mortgage, the company’s website says, negotiates with 65 lenders to find the best mortgage rates in Toronto’s North York area; and 8T Capital, which offers short-term loans.
This apparent breach of security controls is the latest in a string of unsecured corporate databases discovered on the Internet. Often, these misconfigured files are uploaded to cloud storage sites like Amazon AWS, where creators temporarily host them or intend to perform data analysis, then forget to password protect the files or ensure they are not publicly accessible. internet.
The vendor’s SecurityTrails blog notes that some of the most common database mistakes involve using Elasticsearch, a database for storing and analyzing large volumes of data. Elasticsearch only binds to localhost by default, which the article notes is safe enough. But, he adds, to make Elasticsearch usable in an organization, database administrators often make the mistake of connecting Elasticsearch to a public network interface without a firewall.
An excellent tool for finding open databases is the Shodan search engine, which finds everything connected to the Internet. As mentioned in a 2017 article on open databases in Wired, if you want to find all MongoDB databases connected to the public internet, just type “MongoDB” into Shodan. Not all databases found will contain sensitive personal information, but some may.
According to Website Planet, the database includes:
- 717,814 records. The database contained one folder called “applicant” and five folders called “application”;
- applicant’s names, emails, work, home and mobile phone number. Some records contain physical addresses, state or province. Information found in records may be considered Personally Identifiable Information (PII) because most of the information may relate to a specific individual;
- In a random sample of 10,000 records, the term “email” returned 18,382 results. Each record shown consisted of two email addresses; accompanied by an appropriate person from 8Twelve agents, one of whom belongs to the applicant. Almost all common email services appeared in the data, particularly Gmail (13,695 results) and Yahoo (3,406), along with Outlook, iCloud, AOL and a smaller number of other email providers.
- Mortgages from many Canadian provinces are collected in multiple folders labeled “Product” (which we assume means “production”). The records showed where the leads came from: Facebook ads, referral, website, etc. Campaign ID numbers are also recorded in applicant files, which we believe are for the purposes of internal tracking of sales and marketing effectiveness.
- information that applicants provide about their financial situation in the form of credit scores, bankruptcy, savings, financial and other information to begin the loan application process. For credit evaluation purposes, mortgage agents may be required to determine an applicant’s creditworthiness by disclosing the above financial information to an independent credit reporting agency or other source.
- records also include 8 Twelve employees’ names, email addresses, and internal records of a potential loan or customer indicating whether the applicant is creditworthy.
It is not known how long the unprotected database was open to the internet.