New Mortgage Data Breach Illustrates Familiar Risks

Not that anyone needed another reminder, but a financial services vendor has provided an illustration of the fact that sensitive data should never be left unencrypted.

As first reported by TechCrunch and security researcher Bob Diachenko, millions of records containing Social Security numbers, tax information, credit scores, and other mortgage data were discovered, unencrypted, on a publicly-available server in early January. The company directly responsible for the breach has already taken its website offline and stopped responding to questions, but the repercussions may only be beginning.

The data in question had been pulled from mortgage applications and other documents through optical character recognition (OCR), and had originally come from some of the country's largest banks. It was sitting on a server without encryption, without masking, without even a password to prevent unauthorized access. Bob Diachenko discovered the breach while searching for unprotected data and eventually traced it back to a vendor working for Ascension, a financial data and analytics company.

The vendor repsonsible for the breach has taken its website offline, leaving Ascension (along with several banks who have no involvement in the incident) to answer questions about what happened and why the data wasn't protected. It remains to be seen whether the breach will also provide an early look at the enforcement process for NYCRR 500 or other state-level data protection laws.

The key takeaway from this story is, of course, that unprotected data is never safe. Files and database records are constantly being created, copied, and shared, and there's no way to predict where they will eventually turn up. The only way to prevent the exposure of sensitive data is to create detailed information security policies, and to use data-centric security technology to apply those policies across the enterprise. If those mortgage records had been encrypted, for example, it wouldn't have mattered that the server itself was open to the public, because no one but authorized users could have accessed the data.

We don't know how many data thieves grabbed Ascension's 24 million records before the server was taken down, but we can be certain that any who did (and plenty of other hackers like them) are already on the hunt for the next treasure trove of unprotected data.

PKWARE’s Smartcrypt is a data-centric security platform that automatically finds and protects files containing sensitive data. With Smartcrypt, you can meet your compliance obligations and keep data safe from internal and external threats.