GOOD: 8Twelve secured its server and was swift in restricting public access within hours of being alerted by the good folks at Website Planet.
Toronto-based 8Twelve Financial Technologies, a mortgage broker, was found to have a misconfigured database exposed to the public. The database contained the personal information of more than half a million individuals.
According to cybersecurity researchers at Website Planet, who identified the server, it was worse: the data was left exposed without any security authentication or password.
However, after researcher Jeremy Fowler and the Website Planet staff sent a responsible disclosure notice to the company, 8Twelve was swift in restricting public access within hours of the discovery.
The database contains 717,814 records of thousands of Canadian residents, with information related to mortgage loans, including:
- Full names
- Phone numbers
- Email addresses
- Physical addresses and more.
Many of the records appeared to be mortgage leads of people who want to buy a house, refinance, obtain an equity line of credit, or purchase an investment property, the report states.
According to Website Planet, the database contained applicants’ names, emails, and phone numbers for work, home, and cell. Some records contained physical addresses, states, or provinces. As most of the data can relate to a specific individual, the data found in the records can be considered Personally Identifiable Information (PII).
Information submitted by the applicants about their financial standing, such as their credit scores, bankruptcies, savings, finances, and other data required to start the loan application process was also found on it.
Aside from applicant information, Website Planet reported that the records also included eight twelve employee names, email addresses, and internal notes about the prospective loan or customer, indicating whether an applicant was creditworthy or not.
Potential Dangers
A misconfigured database can be a major source of concern for organizations, as it can cause data breaches and other security issues. Not only can a malicious actor gain access to sensitive information stored in the database, but they may also be able to alter or delete existing data.
Furthermore, a misconfigured database can lead to an organization facing hefty compliance penalties due to its inability to protect customer data from unauthorized access.
The most common way for databases to become misconfigured is when their settings are not properly maintained or upgraded with the latest security protocols. This often leads to less secure authentication methods being used, as well as outdated encryption algorithms, which leaves them vulnerable to attack.
As businesses increasingly rely on databases for storing and managing their data, it’s essential that they ensure they’re properly configured and regularly monitored in order to protect against potential dangers.