Ascension Database Misconfiguration Exposes 24 Million Financial and Banking Documents

• A huge banking database of sensitive information was left wide open for anyone to access.
• The information contained in the documents makes it a goldmine for cybercriminals.
• The situation with non-secure databases has reached unprecedented levels of irresponsibility.

Another day, another ElasticSearch database misconfiguration leading to the exposure of sensitive data belonging to millions of people who had no other option than trusting the institutions with them. This time, however, the data is very sensitive and the amount is mind-boggling. The researcher who discovered that the database was open for anyone to access for at least two weeks is Bob Diachenko of SecurityDiscovery.com, and the actual day of the discovery was the 10th of January. According to Diachenko’s findings, the amount of data contained in the unprotected ElasticSearch cluster reach the size of 51 GB, comprising of 24 million individual documents.

In all, the database corresponded to ten years of sensitive banking documents that contained full names, phones, addresses, credit history, social security numbers, mortgage information, and credit reports. Some records even included details such as tax forms (W-2), bankruptcy filings, and the reasoning behind loan requests. The owner of the database was Ascension Data & Analytics, a company that specializes in the conversion of handwritten documents into digital form through the process of OCR (Optical Character Recognition). Following the report by the researcher, the database was taken offline on January 15.

Image source: securitydiscovery.com

TechCrunch, who took part in the investigation of the incident, acquired the following response from Ascension’s parent company: “A server configuration error may have led to the exposure of some mortgage-related documents. The vendor immediately shut down the server in question, and we are working with third-party forensics experts to investigate the situation. We are also in regular contact with law enforcement investigators and technology partners as this investigation proceeds.”

The fact that tracing back who was responsible for this incident required an investigation, is indicative of the extent of the number of acquisitions that various mortgage divisions and client loan assets went through. This series of handler changes combined with the time span of the data means that informing the affected people of the leak would now take a great effort from various companies, some of which have already gone defunct.

Bob Diachenko is the same researcher behind the recent stories of the AIESEC and the MongoDB database leak revelations, so the experienced security specialist has reached to the point of publicly offering to help companies like Ascension realize that they have misconfigured their databases through a relevant Tweet.

hey @MongoDB / @elastic - is there a way we can team up so I can send security alerts on your behalf to the businesses which have their instances misconfigured? Just sad to see how irresponsible people set up your systems..

— Bob Diachenko 🇺🇦 (@MayhemDayOne) January 23, 2019

Do you think it’s time to impose more stringent database protection regulations for companies who handle such sensitive personal data? Let us know of your comments below, and feel free to share this story by visiting our socials on Facebook and Twitter.