A Canadian mortgage broker’s database containing personal information on thousands of people has been left open on the internet, according to security researchers.
Access to the database belonging to Toronto-based 8Twelve Financial Technologies was quickly restricted after the company was notified by researcher Jeremy Folwer and the staff of Website Planet, which offers resources for website builders.
According to a report released today, the database contains 717,814 records on thousands of Canadian residents, with information related to home mortgage loans including names, phone numbers, email addresses, physical addresses, and more. Many of the records appeared to be mortgage leads of people wanting to buy a home, refinance, get an equity line of credit, or buy an investment property, the report says.
“We immediately sent a responsible disclosure notice and 8Twelve acted quickly and professionally by restricting public access within hours of finding out,” the researchers say.
ITWCanada sent an email to 8Twelve Financial chief marketing officer Rick McLaughlin requesting an interview with an official to explain how the incident occurred. No response had been received by press time.
The company has two lines of business: 8Twelve Mortgage for mortgage loans, which negotiates, the company’s site says, with 65 lenders to get the best mortgage rates in the Toronto-North York region; and 8T Capital, which offers short-term loans.
This apparent breach of security controls is just the latest in a series of corporate databases found unprotected on the internet. Often these incorrectly configured files are uploaded to cloud storage sites such as Amazon AWS, where the creators put them temporarily or intend to perform data analysis, and then forget to protect the files with a password or to ensure that they are not connected to the public internet.
A blog from vendor SecurityTrails notes that some of the most common database blunders involve using Elasticsearch, a database for storing and analyzing large amounts of data. Elasticsearch by default only connects to localhost, the article notes, which is pretty secure. But, he adds, to make Elasticsearch usable in an organization, database administrators often make the mistake of connecting Elasticsearch to the public network interface without adding a firewall.
A great tool for finding exposed databases is the Shodan search engine, which finds anything related to the internet. As a 2017 article on exposed databases in Wired noted, if you want to find all the MongoDB databases connected to the public internet, just type “MongoDB” into Shodan. Not all databases found will contain sensitive personal information, but some may contain personal information.
According to Website Planet, the database contained the following:
- 717,814 records. The database contained one folder named “applicant” and five folders named “application”;
- applicant names, e-mails, work, home, and cell phone numbers. Some records contained physical, state or provincial addresses. As most data may relate to a specific individual, data found in the records may be considered Personally Identifiable Information (PII);
- in a random sampling of 10,000 records, the term “email” returned 18,382 results. Each record displayed contained two email addresses; one relating to the applicant and a corresponding one from the 8Twelve agents to whom the instruction was assigned. Almost every popular email service appeared in the data, especially Gmail (13,695 results), and Yahoo (3,406), as well as Outlook, iCloud, AOL, and a smaller number of multiple other email providers.
- Mortgage instructions from multiple Canadian provinces were collected in multiple folders marked “Prod” (which we think stands for “production”). The records seemed to show where the leads came from: Facebook ads, referral, website, etc. Campaign identification numbers were also listed in the applicant files, which we could infer for the purposes of internal tracking of sales and marketing effectiveness.
- information submitted by applicants about their own financial position, in the form of their credit scores, bankruptcy, savings, finances, and other data to begin the loan application process. For credit evaluation purposes, mortgage agents may be required to determine an applicant’s creditworthiness by disclosing the aforementioned financial information to an independent credit reporting agency or other source.
- the records also included 8 names of twelve employees, email addresses, and internal notes about the loan or potential customer, indicating whether or not an applicant had credit.
It is not known how long the unprotected database was open to the internet.