Two redacted files among millions of mortgage and financial documents found on the exposed server. Image Credits: TechCrunch
The Federal Trade Commission has approved a settlement with a mortgage data analytics firm for a 2019 security lapse that exposed millions of sensitive mortgage documents containing the private information of thousands of Americans.
The settlement, announced late December, orders the Texas-based firm Ascension to strengthen its security practices and ensure that its vendors also maintain proper data security safeguards. The order comes two years after a TechCrunch investigation found that OpticsML, a New York-based vendor working for Ascension, left a database of highly sensitive financial data exposed to the internet without a password. No financial penalties were imposed as part of the settlement.
The FTC accused Ascension of failing to ensure that its vendors were complying with data security safeguards as required by the Gramm-Leach Bliley Act's Safeguard Rule.
Much of the 24 million records exposed by the security lapse included names, dates of birth, Social Security numbers and other sensitive personal information that revealed intimate details of a person’s financial life. TechCrunch also found exposed bank account information and loan agreements. A data breach notice filed with the California attorney general's office revealed credit files and driver's license numbers were also exposed.
According to the FTC, more than 60,000 Americans were affected by the lapse.
OpticsML was hired by Ascension to convert written documents into computer-readable text, known as OCR. Both the original documents and the converted text were accessible from anyone who knew its IP address. The FTC found that the database was exposed for about a year, during which time the database was accessed more than 50 times, mostly from computers that appear to be located in Russia and China, the complaint said.
The order was finalized with the majority votes of two of the agency's four remaining commissioners. FTC chair Lina Khan did not participate because Khan was not at the FTC at the time of the complaint, an FTC spokesperson told TechCrunch.
FTC commissioner Rebecca Kelly Slaughter voted against the final settlement, arguing that the complaint "alleges only a rule violation" and fell short by not laying charges against the company. Prior to leaving the FTC to head the Consumer Financial Protection Bureau, then-FTC commissioner Rohit Chopra also criticized the federal agency for settling with Ascension and not its parent company, Rocktop Partners, because the settlement "misses the mark on identifying the responsible company."
Spokespeople for Ascension and OpticsML did not immediately respond to requests for comment.