Homeownership and the American Dream

This is another issue at hand, which violates millennials privacy. This comes about as it was indeed an eye-opener after reading an article, published by UBM’s1 DarkReading.com, where an entity allowed the exposure to millions of records containing personal and financial data. While it may sound derange, the database breach did not need social engineering or a sophisticated malware to procure the information within the database; it was simple there for anyone to take.

This all commenced on January 10, 2019, when a cybersecurity consultant for SecurityDiscovery.

com, Volodymyr Diachenko, naturally led to the key discovery of the “openly accessible database via the Internet,’ in which it was surprisedly ‘not protected by” encryption or “a password”. The mysterious and heartbroken finding promptly lay bared to over two dozen million valuable records within the fifty-one-gigabyte database. The data content included loan agreements, payment schedules, and personal identifiable information (PII), to allegedly include W-2 documents, social security numbers, names, addresses, etc. The actual data was comprimised of information captured from previous services from lenders such as WellsFargo, Citigroup, and CapitalOne.

Homeownership is an American dream that many citizens throughout the generations have envision to achieve in their lifetime. Nevertheless, the inspiration for millennials to fulfill this achievement has become stagnant due to “lack of promising job prospects after college and crippling student loans to pay back”. However, another unsettling issue has risen within the millennial’s generation; privacy. Due to the mishandling, to include selling, of this generation’s information from large corporations has become a sensitive topic. Unlike older generations, millennials have the desire and expectation that their data is secure; whether the data is transferred, stored, or used for analysis.

It is also vital to acknowledge that with this type of sensitive information, cybercriminals and bad actors are able to commit identity theft, as well as financial fraud. And even though this data dates back ten years, it is unknown if some or all of the personal information had been utilized already for criminal deceits. However, after further examination from Diachenko, with the effective ‘collaboration of TechCrunch”, they successfully uncovered that the “Elasticsearch database” in question belongs to Ascension Data & Analytics, LLC; who are undeniably a firm dedicated in “providing custom analytics services” to loan and mortgage companies. As denoted on Ascension’s official website, they do indeed “provide insight around the data clients need” and “streamline the process” with services that include, but not limited to, “document management with OCR”.

The mentioning of the Optical Character Recognition (OCR) portion is vital, as Diachenko vividly described that there “were copies of handwritten notes”, to include signatures, on “printed documents related to loans and mortgages”. Indicating that not only was the personal information queryable, as a typical relational database management system (RDMS) operate, but it also included binary large objects (BLOBS); which holds a digital copy of an actual document matching to the corresponding data within that database. This equates to a higher probably for criminals to easily impostor those affected victims, as these documents could serve them as proof of legality to commit financial fraud.

Conclusion and Opinion

In conclusion, the convincing evidence shows there was obvious human error on behalf of the Ascension Data & Analytics company. Their apparent lack of attention to detail in not securing this database has potentially put many individuals’ sensitive data in jeopardy. Aside from costing those individuals headaches in the future with possible criminal deceits, this could potentially lead to other negative impacts against the company; monetary and in reputation. As a service provider, the company also failed to adopt proactive security approaches in eliminating all potential risks that may have risen with the transferring and storing of the data. They should have had a checklist and answered thoughtfully some of the following questions:

1. What type of encryption will we use to store and transfer data with?
2.  How often will we change the password to the database?
3.  Will there be obfuscation to not jeopardize personal information?
4. What is the duration of custody of this data?
5. How will data be destroyed after analysis?

Luckily, as with many other companies who utilize a reactive security approach, Ascension secured the database after they were informed of the breach. Overall, unacceptable. However, I justly blame the other side of the equation as well. The requester for service failed to ensure that all key aspects for securing and handling of the data were not put in place. It is standard during the procurement stages for the right members of an organization to be within the discussion when requesting third party services. The vetting process should have included members in charge of the data, security experts, and the infrastructure.

With so many eyes, and different point of views, this incident could have easily been avoided. The effects of a minor human error, from Ascension’s part, could potentially affect future real-estate markets. Exposing personal and financial data could deter the millennial generation from wanting or wishing to purchase a home in the future. After all, the fear of having their data left unsecure violates privacy as well.

References

1. Ascension. (n.d). Retrieved on January 31, 2019, from https://www.ascensionda.com/
2. Garcia, P. L. (n.d.). The Millenial Home Buyer. Retrieved on January 31, 2019, from
3. https://www.nahb.org/en/research/design/the-millennial-home-buyer.aspx
4. Vijayan, J. (2019, January 24). Database of 24 Million Mortgages, Loan Records Left Exposed Online. Retrieved January 31, 2019, from https://www.darkreading.com/ attacks-breaches/database-of-24-million-mortgage-loan-records-left-exposed- online/d/d-id/1333730

Did you like this example?

592

31