News Canadian mortgage brokers’ customer database opens up on the internet
A Canadian mortgage broker’s database containing the personal information of thousands of people is open on the internet, according to security researchers.
Access to Toronto-based 8Twelve Financial Technologies’ database was quickly restricted after researcher Jeremy Folwer and staff at Website Planet, a resource for website builders, notified the company.
According to a report released today, the database has 717,814 records for thousands of Canadian residents, containing information related to home mortgages, including names, phone numbers, email addresses, physical addresses and more. Many of the records appear to be mortgage leads for people who want to buy a home, refinance, get an equity line of credit or buy an investment property, the report said.
“We immediately sent a responsible disclosure notice and 8Twelve acted quickly and professionally to restrict public access within hours of discovery,” the researchers said.
In an interview, Akber Abbas, president and chief information officer of 8Twelve Financial, said that in December, an employee made a mistake while transferring data to an AWS bucket. “This incident happened when one of our reporting analysts accidentally left one of the ports open while doing the migration. It was quickly identified through our penetration testing. No data was removed from our servers . The individual was subsequently fired from the organization. We now have solutions to protect us going forward.”
As for the researchers who spotted the blunder, Abbas said: “We realized it ourselves before they informed us.”
Abbas said the company’s response included working with security consultants to close any gaps.
Asked if the incident was embarrassing, he replied: “Yes. You never want to be in that position. The reality in security is that things change very quickly. We’ve since [the incident] Over the past four weeks, a few extra controls have been put in place on top of what we’ve done…be as proactive as possible. “
Abbas did not know whether his company had notified regulators of the breach of security controls.
The company has two lines of business: 8Twelve Mortgage, which provides mortgage loans, and negotiates with 65 lenders to find the best mortgage rates in Toronto’s North York area, according to the company’s website; and 8T Capital, which provides short-term loans.
The apparent breach of security controls is just the latest in a string of unprotected corporate databases to be found on the internet. These misconfigured files are often uploaded to cloud storage sites like Amazon AWS, where the creators put them there temporarily or intended for data analysis, and then forget to password protect the files or make sure they are not connected to the public internet.
A blog from vendor SecurityTrails notes that some of the most common database missteps involve using Elasticsearch, a database for storing and analyzing large amounts of data. The article points out that Elasticsearch only binds to localhost by default, which is enough security. However, it added that in order to make Elasticsearch available in an organization, database administrators often make the mistake of binding Elasticsearch to a public network interface without firewalling it.
A great tool for finding exposed databases is the Shodan search engine, which can find anything connected to the Internet. As pointed out in a previous Wired article on public databases from 2017, if you want to find all MongoDB databases connected to the public internet, just type “MongoDB” into Shodan. Not all databases found had sensitive personal information, but some might.
According to Website Planet, the database contains:
- 717,814 records. The database contains one folder named “applicant” and five folders named “application”;
- Applicant name, email, work, home and mobile phone numbers. Some records contain physical addresses, states, or provinces. Data found in records may be considered personally identifiable information (PII), as most data may relate to a specific individual;
- In a random sample of 10,000 records, the term “email” returned 18,382 results. Each record shown contained two email addresses; one belonging to the applicant, accompanied by a corresponding person from 8Twelve’s agents, who was designated as the person in charge. Almost all common email services appear in the data, notably Gmail (13,695 results) and Yahoo (3,406), as well as Outlook, iCloud, AOL, and to a lesser extent several other email providers.
- Mortgage leads from various Canadian provinces were collected in multiple folders labeled “Prod” (which we assume stands for “Production”). These records appear to indicate where the leads came from: Facebook ads, referrals, websites, etc. A campaign ID number is also listed on the applicant file, which we can infer is for internal tracking of sales and marketing effectiveness.
- Applicants self-submit information about their financial situation in the form of credit scores, bankruptcy, savings, finances and other data to start the loan application process. For credit evaluation purposes, mortgage brokers may be required to determine an applicant’s creditworthiness by disclosing the above financial information to independent credit reporting agencies or other sources.
- The records also include 8 to 12 employee names, email addresses and an internal note about the potential loan or customer indicating whether the applicant is creditworthy.
(This story has been updated from the original with commentary from Akber Abbas added)