Lapse in security exposes millions of bank loan and mortgage documents online- Comment

It has been revealed that a security lapse has led to another dramatic Elasticsearch database breach which has left more than 24 million financial and banking documents exposed online, with much of the information linked to some of biggest banks in the U.S.

Commenting on the news are the following security professionals:


Jonathan Deveaux,  Head of Enterprise Data Protection at comforte AG:

“Applied for a loan in the past 10 years? Then your personal data may have been exposed.

What’s unique about this cyber security leak, is that the data may have originated at major banks (Citi, HSBC, and Wells to name a few) but they didn’t expose the data. A company who obtains the data for analytical purposes (think Big Data and ML) is most likely the source. It was reported that their servers were misconfigured and there were no password requirements to access the data.


If the banks are securing personal data when taking the loan application, but handing the data off to another company *unprotected* then this is a major security gap. And even if the data is secured when given to a company for analytical purposes, the next step is to ensure the data stays protected while they analyze it. 


One of the data elements exposed in the report was social security numbers. There’s really no useful reason why a SSN is needed for analysis. SSNs could have been masked or tokenized, while other data was used for analytical purposes.


Banks and other Fintech companies need to really understand how other parties will use the personal data they provide them. And maybe it’s time they stop working with companies who don’t do more to secure sensitive data.”


Tim Erlin, VP at Tripwire: 


“This wasn’t a sophisticated attack by a well-funded nation-state adversary. It was a misconfiguration, a mistake. Organizations need to be able to detect and remediate misconfigurations, period.  This is highly sensitive data that was exposed to anyone willing to look for it. Moving data and applications to the cloud doesn’t magically absolve an organization of its security responsibilities.”