Hard Money Lender Leaked Thousands of Customers Personal Data
This kind of data has been recently discovered by MacKeeper researchers during the regular security scan. No username or password was required to access it as if it was a public database.
Another misconfigured MongoDB instance was part of the lending company, Anchor Loans, a big player in the lending sector for real estate investments that has originated more than 13 000 loans totaling over $3.7 billion. The company operates as a mortgage pool, investing directly in trust deeds and earning income from the interest paid by borrowers.
The database contained sensitive information such as SSNs, passwords, spouse information (incl. SSN), e-mail addresses, driver’s license numbers, financial details including salary and even bank statement amount.
Moreover, there were records of transaction details and communication logs with investors.
Plus logins and passwords required for clients to authorize on Anchor Loans web resources and indirect links to the scanned copies of contracts.
Once our experts have come across this information, we’ve contacted company representative to report about the data breach and help get it secured. Anchor Loan was quick in getting back to us and currently internal investigation in under way. Database had been taken offline since then.
According to Anchor Loan:
"Based on what we now know, however, we believe that much of the information was related to real estate data and real estate transactions, some of which is publicly available, and the great majority of which is not sensitive personal identifying information of our contacts. At this time, we have identified approximately 20,000 individuals whose data could have been exposed, had any of this data been illegally copied or accessed by any other third party. Again, we are continuing our investigation, and we will continue to refine these numbers".
Any industry that works with sensitive information such as banking and finance must take every possible step to secure their customer’s data. State and Federal requires that not only is this information kept secure and private, but also that borrowers’ be notified of any breach. Some states even go as far as to require credit monitoring and repair for up to 3 years.
As company indicates on the website: “Rates and terms are dependent on your application. The more information you provide, the more options we can provide you with”. Applicants are encouraged to leave more personal details and thus become an attractive target for attackers.
According to Anchor Loans,
"as soon as we have sufficient information to do so, we will take all necessary steps to ensure that the individuals who may have been impacted are appropriately informed, and to provide information and resources to any of our contacts who have questions about the security of their data or our response to this incident".
Needles to say that if such data falls into malicious hands both company’s current clients and potential borrowers are at risk to have accounts misused by scammers. One of such cases was halted by Federal Trade Commission in Missouri. According to Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, two scammers bought consumers’ personal information, made unauthorized payday loans, and then helped themselves to consumers’ bank accounts without their authorization.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to MacKeeper Security Research Center.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org
Stay tuned to the latest security news by visiting MacKeeper Security Watch blog.