Financial data exposure and third-party issues.
TechCrunch reported Wednesday that data from more than 24 million bank loan and mortgage documents were found on an unsecured server by security researcher Bob Diachenko. The server was storing over a decade's worth of "loan and mortgage agreements, repayment schedules and other highly sensitive financial and tax documents." The data had been converted from paper documents via optical character recognition (OCR) and stored in an Elasticsearch cluster on the server. Diachenko and TechCrunch traced the source of the leak to a data and analytics company called Ascension, which said that one of its vendors was the culprit. The vendor, New York-based software company OpticsML, said it was "working with the appropriate authorities and a forensic team to analyze the full extent of the situation."
On Thursday, TechCrunch reported that Diachenko had discovered a second server, also without a password and accessible from the Internet. This one stored 23,000 pages of original documents. Diachenko noted that this was an Amazon S3 server, which would be password-protected and offline by default, so someone at some point chose to remove its password and connect it to the internet. It's not clear how long this server was exposed or how many times it had been accessed by unauthorized parties. Diachenko told TechCrunch that "this information would be a gold mine for cyber criminals who would have everything they need to steal identities, file false tax returns, get loans or credit cards."