Millions of mortgage, loan documents were exposed online in massive security lapse


At Bankrate we strive to help you make smarter financial decisions. While we adhere to strict , this post may contain references to products from our partners. Here’s an explanation for


A massive online data leak reportedly involving more than 24 million mortgage and bank loan documents exposed sensitive consumer information from several major U.S. lenders, according to a tech news website.

The security lapse was first reported by Zack Whittaker of TechCrunch Wednesday afternoon. An unprotected online server that didn’t have a password is the cause of the leak, leaving millions of pages of sensitive documents accessible to anyone online, TechCrunch reported.

The exposed data included mortgage and loan mortgage agreements, amortization schedules and other sensitive financial documents that revealed borrowers’ names, addresses, phone numbers, Social Security numbers, and birth dates, among other data, according to the TechCrunch report.

Additionally, TechCrunch found that the data came from loans and mortgages from back to 2008 (or earlier), and included files from CitiFinancial (formerly a lending finance division of Citigroup), HSBC Life Insurance, Wells Fargo, CapitalOne and some federal agencies, including the U.S. Department of Housing and Urban Development.

Although the information was online for just two weeks, independent infosecurity researcher Bob Diachenko was able to find the stockpile. In a blog post about his discovery, Diachenko writes that he found the exposed data on Jan. 10 in random parts (not in single reports), and immediately alerted one of the lenders to investigate. By Jan. 15, the database had been secured, Diachenko writes.

“These documents contained highly sensitive data, such as Social Security numbers, names, phones, addresses, credit history, and other details which are usually part of a mortgage or credit report,” Diachenko writes on his blog. “This information would be a gold mine for cyber criminals who would have everything they need to steal identities, file false tax returns, get loans or credit cards.”

TechCrunch assisted Diachenko in tracing the security lapse to Ascension, a data and analytics firm for the mortgage servicing industry based in Fort Worth, Texas. In addition to custom data analysis, Ascension converts paper documents into electronic files, which is where Diachenko said the leak originated.

From the TechCrunch article:

“Sandy Campbell, general counsel at Ascension’s parent company, Rocktop Partners, which owns more than 46,000 loans worth $4.4 billion, confirmed the security incident to TechCrunch, but said its systems were unaffected.

“On January 15, this vendor learned of a server configuration error that may have led to exposure of some mortgage-related documents,” he said in a statement. “The vendor immediately shut down the server in question, and we are working with third-party forensics experts to investigate the situation. We are also in regular contact with law enforcement investigators and technology partners as this investigation proceeds.”

An unspecified portion of the loans were shared with the contractor for analysis, the statement added, but couldn’t immediately confirm how many loan documents were exposed.”

What to do if you suspect your personal info has been exposed

Data breaches can become a major financial and personal headache. To protect your finances, take these five steps if you think your information has been compromised.

1. Don’t hesitate: Freeze your credit

A credit freeze may protect you if someone tries to apply for credit in your name using information that they accessed during a breach. Every data breach is another reminder that you should take advantage of this free service. Each the three major credit bureaus has procedures for freezing your credit.

2. Monitor accounts and your credit

Being proactive about monitoring your credit and your financial accounts allows you to see if there is any unusual activity. You can get a free credit report from Bankrate.

Because some credit card numbers and expiration dates may have been compromised, you may want to talk to your financial institution about getting a new credit or debit card number issued. At the very least, it’s smart to have text, email or mobile notifications of purchases and to monitor your accounts on a daily basis for potential fraudulent activity.

3. Add new layers of security

Safeguard your accounts by enrolling in two-factor authentication, which would require you to log on using both a password and a one-time code sent to your smartphone. That would make it more difficult for a criminal to gain access.

You’ll also want to set up a PIN code with your wireless provider, so a customer service agent wouldn’t be tricked into allowing a hacker to commandeer your phone. Establish a system with financial advisers who have  access to your investment accounts so it would take more than just a simple email from you to get them to wire money from your funds.

4. Be careful with your taxes

Identity thieves don’t stop with credit cards. In 2017, the IRS received 242,000 reports from taxpayers of identity theft. One way to remain vigilant when it comes to protecting yourself from identity theft is to file your return as early as possible, and change your withholding to lower a potential refund.

If you think you’re the victim of fraud, file the identity-theft affidavit, Form 14039, with the IRS.

5. Watch your emails and snail mail

Hackers also may use stolen information to send you a phishing email – a note that looks legitimate but contains links to malware. It’s usually better to go right to the website and type in the address in your browser, rather than clicking on a link – if possible.

Fraudsters can use these emails to get you to click on encryption ransomware, which can block you out of your photos and sensitive files until you agree to pay a ransom to regain access. Backing up your data on a hard drive is key.

Read your email carefully before responding, paying special attention to the sender. A scammer might hide behind a name that looks familiar, but the spelling will be off by a letter or two.

Learn more: