Millions of Financial Records Leaked at Texas-Based Data Firm

Photo: Getty

For at least the third time in as many days, a large cache of sensitive data has been reportedly exposed due to a misconfigured Elasticsearch server. In this case, a whopping 24 million financial and banking records are said to be involved.

On Wednesday, independent security researcher Bob Diachenko disclosed publicly that more than a decade’s worth of credit and mortgage records, many linked to some of the country’s largest banks and lenders, was temporarily exposed online. Many of the records include personal details, he said, such as Social Security numbers and home addresses.


He described the cache as a “gold mine” for cyber criminals looking to file false tax returns or get loans or credit cards using stolen identities.

Diachenko estimated that 51 GB of data had been left publicly exposed due an unprotected Elasticsearc server. Elasticsearch, which is not itself responsible for the leak, is a popular enterprise search application used by companies to help visualize internal data.

Diachenko also wrote that he’d teamed up with TechCrunch reporter Zack Whittaker to uncover the cache’s origin. It was eventually traced back to a Fort Worth-based company known as Ascension Data & Analytics.

A lawyer for the company, which is run by Texas investment manager Rocktop Partners, told TechCrunch that the server was shutdown after Diachenko notified it of the problem and that it has notified law enforcement and “technology partners.”


As for the mortgage institutions involved, TechCrunch reported:

From our review, it was clear that the documents pertain to loans and mortgages and other correspondence from several of the major financial and lending institutions dating as far back as 2008, if not longer, including CitiFinancial, a now-defunct lending finance arm of Citigroup, files from HSBC Life Insurance, Wells Fargo, CapitalOne and some U.S. federal departments, including the Department of Housing and Urban Development.


Diachenko stressed that, while 24 million records are involved, in some cases, the same document can produce multiple records. Moreover, it’s still unclear how many people are affected by the leak.

Earlier this week, ZDNet reported that an Elasticsearch server had been left exposed online without a password, revealing details about over 108 million bets managed by an online casino group. Diachenko also reported another Elasticsearch-involved breach at AIESEC, which describes itself as “the world’s largest youth-run organization.”



Share This Story

Get our newsletter

About the author

Dell Cameron

Privacy, security, tech policy | Got a tip? Email: | Send me encrypted texts using Signal: (202)556-0846

PGP Fingerprint: A70D 517E FB9A 02C9 C56E 86D5 877E 64E7 10DF A8AEPGP Key
OTR Fingerprint: 2374A8EA 6D2B7712 0D82D659 C0FE8253 A3F080FD