Update: One day later, the story of the OpticsML breach got much worse when Bob Diachenko found a second exposure involving the vendor. Read about it here.
Original post:
Zack Whittaker reports on a leak discovered by Bob Diachenko of Security Discovery:
A trove of more than 24 million financial and banking documents, representing tens of thousands of loans and mortgages from some of the biggest banks in the U.S., has been found online after a server security lapse.
The server, running an Elasticsearch database, had more than a decade’s worth of data, containing loan and mortgage agreements, repayment schedules and other highly sensitive financial and tax documents that reveal an intimate insight into a person’s financial life.
But it wasn’t protected with a password, allowing anyone to access and read the massive cache of documents.
Read more on TechCrunch and SecurityDiscovery. Zack and Bob collaborated to determine that the likely source of the leak was Ascension Data & Analytics, and not Citi, although many of the documents appeared to be related to Citi customers. Ascension claimed that it was one of their vendors, OpticsML, was responsible.