Recently I discovered an open and non-password protected database that contained 717,814 records and the Personally Identifiable Information (PII) of thousands of Canadian citizens. This data contained home mortgage loan related information that included names, phone numbers, email addresses, physical addresses, and more. Many of the records we saw appeared to be “mortgage leads”. These are records of individuals who want to buy a house, refinance, obtain an equity line of credit or purchase an investment property. Upon further research there were multiple references to Canadian based 8Twelve Financial Technologies Inc. We immediately sent a responsible disclosure notice and 8Twelve acted fast and professionally by restricting public access within hours of our discovery.
- 717,814 records. The database contained one folder named “applicant” and five folders named “application”;
- applicant names, emails, phone number for work, home, and cell. Some records contained physical addresses, state or province. As most of the data could relate to a specific individual, data found in the records could be considered Personally Identifiable Information (PII);
- in a random sampling of 10,000 records, the term “email” returned 18,382 results. Each record displayed contained two email addresses; one belonging to the applicant accompanied by a corresponding one from the 8Twelve agent who was assigned the lead. Nearly all common email services appeared in the data, notably Gmail (13,695 results), and Yahoo (3,406), along with Outlook, iCloud, AOL, and smaller numbers of multiple other email providers.
- mortgage leads from multiple Canadian provinces were collected in multiple folders marked as “Prod” (which we assume stands for “production”). The records appeared to indicate where the leads came from: Facebook ads, referral, website, etc. Campaign ID numbers were also listed in the applicant files, which we may infer were for the purposes of internal tracking of sales and marketing effectiveness.
- applicants’ self-submitted information about their own financial standing, in the form of their credit scores, bankruptcy, savings, finances, and other data to start the loan application process. For credit evaluation purposes, mortgage agents may need to determine an applicant’s creditworthiness by disclosing the aforementioned financial information to an independent credit reporting agency or another source.
- records also included 8 Twelve employee names, email addresses, and internal notes about the prospective loan or customer, indicating whether an applicant was credit-worthy or not.