The customer database of a Canadian mortgage broker was left open on the Internet

A Canadian mortgage broker’s database containing the personal information of thousands of people has been left open online, according to security researchers.

Access to the database belonging to Toronto-based 8Twelve financial technologies was quickly restricted after the company was notified by researcher Jeremy Folwer and staff at Website Planet, which provides resources for website builders.

According to a report issued today, The database has 717,814 records for thousands of Canadian residents, with information related to home loans, including names, phone numbers, email addresses, physical addresses, and more. Many of the records appeared to be mortgage leads from people looking to buy a home, refinance, get a home equity line of credit or buy an investment property, the report says.

“We immediately submitted a responsible disclosure notice, and 8Twelve acted promptly and professionally by restricting public access within hours of our discovery,” the researchers say.

ITWorldCanada emailed 8Twelve Financial director of marketing Rick McLaughlin requesting an interview with an official to explain how the incident happened. No response had been received at press time.

The company has two lines of business: 8Twelve Mortgage for home loans, which the company’s website says negotiates with 65 lenders to find the best mortgage rates in Toronto’s North York region; and 8T Capital, which offers short-term loans.

This apparent breach of security controls is just the latest in a series of corporate databases found unprotected on the Internet. Often these misconfigured files are uploaded to cloud storage sites like Amazon AWS, where the creators put them temporarily or intend to perform data analysis, and then forget to password protect the files or make sure that they are not connected to the public. Internet.

A blog from the provider SecurityTrails points out that some of the most common database errors involve the use of Elasticsearch, a database for storing and analyzing large amounts of data. Elasticsearch binds by default only to localhost, the article notes, which is safe enough. But, he adds, to make Elasticsearch usable in an organization, database administrators often make the mistake of binding Elasticsearch to the public network interface without protecting it with a firewall.

A great tool for finding exposed databases is the Shodan search engine, which finds anything connected to the Internet. As noted in a 2017 article on exposed databases in WiredIf you want to find all MongoDB databases connected to the public internet, just type “MongoDB” in Shodan. Not all databases found will have sensitive personal information, but some will.

According to Website Planet, the database contained:

• 717,814 records. The database contained one folder named “applicant” and five folders named “application”;
• applicants’ names, emails, work, home, and cell phone numbers. Some records contained physical addresses, state or province. Since most data could be associated with a specific individual, the data found in the records could be considered Personally Identifiable Information (PII);
• In a random sample of 10,000 records, the term “email” returned 18,382 hits. Each displayed record contained two email addresses; one belonging to the applicant accompanied by the correspondent of the 8Twelve agent who was assigned leadership. Almost every common email service appeared in the data, notably Gmail (13,695 results) and Yahoo (3,406), along with Outlook, iCloud, AOL, and a smaller number of many other email providers.
• Mortgage leads from various Canadian provinces were collected in various folders marked “Prod” (which we assume stands for “production”). The logs seemed to indicate where the leads were coming from: Facebook ads, referrals, website, etc. Campaign ID numbers were also included in the requesters’ files, which we can infer was for internal tracking of sales and marketing effectiveness.
• Information self-submitted by applicants about their own financial situation, in the form of credit scores, bankruptcy, savings, finances, and other data to start the loan application process. For credit evaluation purposes, mortgage brokers may need to determine an applicant’s creditworthiness by disclosing the above financial information to an independent credit reporting agency or other source.
• the records also included 8 Twelve employee names, email addresses, and internal notes about the prospective loan or customer, indicating whether or not the applicant was creditworthy.

It is unknown how long the unprotected database was open on the Internet.