Canadian Mortgage Broker’s Client Database Left Open on the Internet

A Canadian mortgage broker’s database containing personal details of thousands of people has been left open on the internet, security researchers say.

Access to Toronto-owned database 8Twelve financial technologies was quickly restricted after the company was tipped off by researcher Jeremy Folwer and the staff of Website Planet, which offers resources for website builders.

According to a report released today, the database contains 717,814 records on thousands of Canadian residents, with home mortgage information including names, phone numbers, email addresses, physical addresses, and more. Many records appeared to be mortgage leads from people wanting to buy a home, refinance, get an equity line of credit, or buy an investment property, the report said.

“We immediately sent a Responsible Disclosure Notice and 8Twelve acted quickly and professionally restricting public access within hours of our discovery,” the researchers say.

ITWorldCanada sent an email to 8Twelve Financial’s chief marketing officer, Rick McLaughlin, requesting an interview with a manager to explain how the incident occurred. No response had been received by press time.

The company has two lines of business: 8Twelve Mortgage for mortgages, which, according to the company’s site, negotiates with 65 lenders to find the best mortgage rates in the North York area of ​​Toronto; and 8T Capital, which offers short-term loans.

This apparent breach of security controls is just the latest in a series of corporate databases found unprotected on the Internet. Often these misconfigured files are uploaded to cloud storage sites like Amazon AWS, where the creators put them temporarily or intend to do some data analysis, then forget to password protect the files or save them. ensure they are not connected to the public. the Internet.

A SecurityTrails vendor blog note that some of the most common database errors involve the use of Elasticsearch, a database for storing and analyzing large amounts of data. Elasticsearch binds to localhost only by default, the article notes, which is secure enough. But, he adds, to make Elasticsearch usable in an organization, database administrators often make the mistake of tying Elasticsearch to the public network interface without the firewall.

A great tool for finding exposed databases is the Shodan search engine, which finds anything connected to the Internet. As noted in a 2017 article on Exposed Databases in Wired, if you want to find all MongoDB databases connected to the public internet, just type “MongoDB” in Shodan. Not all databases found will contain sensitive personal information, but some may.

According to Website Planet, the database contained:

  • 717,814 records. The database contained one folder named “applicant” and five folders named “request”;
  • candidate names, emails, work, home and cell phone numbers. Some records contained physical, state or province addresses. As most of the data could relate to a specific individual, the data found in the records could be considered Personally Identifiable Information (PII);
  • in a random sample of 10,000 records, the term “email” returned 18,382 results. Each record displayed contained two email addresses; one belonging to the applicant accompanied by a correspondent of the 8Twelve agent who has been entrusted with the management. Almost all popular email services appeared in the data, including Gmail (13,695 results) and Yahoo (3,406), along with Outlook, iCloud, AOL and a smaller number of several other email providers.
  • Mortgage leads from several Canadian provinces were collected in several files marked “Prod” (which we believe means “production”). The records seemed to indicate where the leads came from: Facebook ads, referral, website, etc.
  • information provided by applicants about their own financial situation, in the form of their credit scores, bankruptcy, savings, finances and other data to start the loan application process. For credit reporting purposes, mortgage officers may need to determine an applicant’s creditworthiness by disclosing the above financial information to an independent credit reporting agency or other source.
  • the records also included 8 Twelve employee names, email addresses, and internal notes about the loan or prospect, indicating whether or not the applicant was creditworthy.

It is not known how long the unprotected database has been open on the Internet.

Leave a Comment