Loan Provider Southwest Funding Exposes Database Containing 695k Records
On May 20th I discovered a publicly accessible database that contained a large amount of records of what appeared to be home mortgage loan data. Upon further research I was able to see information that was consistent with home loan data and internal content management systems. The database required no username or password and anyone with an internet connection could have potentially had access to the 695,636 exposed records.
There were multiple references to Texas-based Southwest Funding and by searching the names of the loan originators listed in the records, I could assume they were the likely owner of the database. I immediately sent a responsible disclosure notice to Southwest Funding and provided details of what I had discovered. Southwest Funding’s team acted fast and professional in responding and removing public access shortly after my notification.
Southwest Funding has over 400+ employees and according to their website, they have 80 established branch office locations throughout the United States. For many people, a house is often the biggest purchase they will ever make in their lifetime. According to the real estate site Zillow, the median US home listing price in the US is $226,800 and it is estimated that the total amount of US mortgage debt was $16.01 trillion dollars in 2019. With such a large amount of money, it is easy to see why criminals would choose to target the home loan industry.
Home title fraud is the most common form of mortgage fraud and occurs when someone obtains the title or ownership of a property. This is usually done by stealing the real owner’s identity and then changing the ownership to the criminal’s name or associate. Then the criminal can try to get additional loans or mortgages against the stolen property. To the best of my knowledge, none of Southwest Funding’s customers are currently at risk of fraud and they did take some security precautions to protect the most sensitive customer data. I only mention home title fraud to raise awareness and highlight how criminals could potentially target the home loan industry or property owners.
Ironically, before my life in cybersecurity I worked in real estate and finance. Upon my discovery of this database, I knew right away this was mortgage data. In my experience, I was already well aware of the type of PII (personally identifiable information) that is collected to obtain a home loan. Even way back in the early 2000’s we were trained to understand just how sensitive loan applications could be. In the old days, our system was very localized, offline, and highly secure. Then, we used an antique fax machine with no SSL encryption to submit documents for underwriting and obviously not realizing how easily they could have been intercepted. Today, a company or organization can have multiple branches across the country or across the world and store every document in a single database on the cloud. Once this data in the cloud it can be accessed from anywhere with the right credentials (or no credentials). With the advancements in technology and data storage solutions also comes the never-ending and constantly evolving threats to data security.
What the database contained:
- 695,636 Total Records Exposed
- Loan customer names, some email addresses, physical street addresses, loan account numbers, loan amounts, and more.
- There were 3 folders that contained potentially identifiable information. One named “Credit” and two separate folders named “Leads”.
- **Credit: 83.0k Records: This contained the results of credit and loan qualifying ie. approved, pending, prospect, etc.
- **Leads: 146k Records / Leads: 149k Records: These were people looking to obtain a new loan from an advertising campaign, or people who already have a loan and may be looking to refinance their existing loans. It is unclear if there was any duplicate data in these separate folders. In the limited sampling, I saw they appeared to be unique.
- Internal content management records, employee names, emails, loan status, notes, and much more.
- Configuration information that referenced middleware and build information. This could provide exploits to potentially allow for a secondary path for malware.
- IP addresses, Ports, Pathways, and storage info that cybercriminals could potentially exploit to access deeper into the network.
* The document count as seen in the Chrome web browser
It should be noted that I did not see any SSN (Social Security Tax ID Numbers) in plain text. However, there was a section in the records that referenced “ID”. This ID portion was encrypted in what appeared to be a highly complex algorithm. I can only speculate this could have been an SSN or additional personal information.
One disturbing part of this discovery was seeing a ransomware notice inside the database named “howtogetmydataback”. The notice contained an email address and a demand for bitcoin. Although this was likely an automated threat campaign by cybercriminals, it does show that I was not the only one to see or gain access to the publicly exposed database. It is unclear who else may have had access to the data or exactly how long the database was publicly accessible. Only a full forensic audit of the database will identify how many IP addresses had gained access to the records and if any data was extracted. As a Security Researcher, I never extract data or circumvent password credentials and only take a limited number of redacted screenshots for verification purposes.
This is yet another wakeup call for the financial industry to safeguard any and all data that is collected and stored. In Jan 2019 my partner and co-founder at Security Discovery, Bob Diachenko discovered and reported a massive data leak of 24 million financial and banking documents that were exposed by the data and analytics firm Ascension. This data breach was a highly publicized news story and served as a case study for data security in the home mortgage loan industry. Unfortunately, as my discovery highlights yet again it seems there is no end in sight for large data exposures.
The Danger of This Kind of Exposure
In my opinion, any type of data exposure could pose a prolonged risk to customers and users far beyond the information that may have been leaked. It is no secret that Identity theft can potentially ruin your financial life and it is a nightmare for any victim to rebuild their credit and reputation. The danger of a data exposure involving financial related data is that it creates puzzle pieces of information that can be combined to form a complete picture of the customer, client, or user. This could potentially allow cybercriminals to have a wealth of information or the tools needed to conduct a targeted phishing campaign.
Social engineering attacks have been on the rise and they are very different from the vague emails or phone calls that we have all grown accustomed to. Several studies claim the increase in social engineering attacks has risen as much as 80% from 2016 to 2018. In reality criminals or even state actors could create a profile that is specific and targeted to each individual.
A company or organization that the customer has done business with creates a “point of trust”. Through social engineering, a cybercriminal could contact the user and verify account information that only the company or organization would know. Once they have established this trust they could ask for a social security number, banking, or credit card data. The human element and knowing intimate account details are what makes this method so dangerous and difficult to prevent or detect
Companies and organizations must do everything they can to educate and raise awareness of the threats that phishing and social engineering pose to employees and customers. This includes having a plan in place to track and monitor remote access and a robust permissions policy to ensure that only authorized individuals have access to sensitive data. Education, training, and awareness are invaluable tools when they are combined with security technology.
It is unclear if Southwest Funding has notified customers, partners, or regulatory authorities. Under the Texas Data Protection Law, if 250 or more Texas residents are affected by a breach of security, businesses must notify the Attorney General within 60 days of the data incident. There is no sign or indication of wrongdoing and I am not implying any customers, partners, or employees are at risk. I am only highlighting my discovery to raise awareness of potential security risks in the financial industry in general and for educational purposes among the security community.
Jeremiah has since contacted Southwest Funding for comment. The company has had 20 days to reply and has not yet done so. They were notified of publication.
About the author: Jeremiah Fowler: Director of Security Research @ SecurityDiscovery
“I care about data protection, privacy, cybersecurity issues, and responsible disclosure”