Gaping holes in protecting consumer data: Lessons from the Ascension breach
On January 10, 2019, a security researcher discovered over 24 million mortgage loan documents publicly exposed on an Amazon S3 storage server. The documents originated from a wide array of financial institutions and the federal government through the processing of mortgage applications. The firms then sold these loans to Rocktop Partners, an alternative investment firm.
Upon acquisition of the loans, Rocktop Partners turned the data over to Ascension Data & Analytics, an affiliate company, for analytics and processing. The carousel of information didn’t stop there: Ascension then gave the data to OpticsML, presumably for further processing and analytics.
In the above corporate game of hot potato, who should be held responsible for the protection of the sensitive data involved? The companies that profited from mortgage transactions are pointing their fingers down the transaction chain, and regulators seem to be powerless. Meanwhile, the thousands of impacted consumers are bracing for the impact. Let’s define the actors and see what we can learn from their part in this incident.
OpticsML stored the sensitive financial data in Amazon S3 buckets without password protection, leaving the data open to the anonymous internet. Since the breach, OpticsML has shut down its website (https://www.opticsml.com). Being a small fintech startup, it is likely that they don’t have the financial resources to compensate those impacted by the breach, nor will they likely resume business.
Lesson: Regardless of your size, information security matters. Just as a lack of cash will cause your business to fail, so too will a lack of information security.
Rocktop Partners / Ascension Data and Analytics
Rocktop Partners, an investor in distressed consumer markets, acquired the impacted loans and related documentation from a wide range of financial institutions. They handed the data over to Ascension Data & Analytics, a closely affiliated firm, presumably for analytics and processing.
Sandy Campbell, general counsel of Rocktop Partners, explained that neither the Ascension nor the Rocktop Partners systems were impacted by the breach. Based on a review of a breach notification filed with the state of Vermont, Ascension is notifying impacted consumers and offering them two years of free credit and identity theft monitoring services.
Lesson: It doesn’t matter if your systems were impacted: it’s the data and the transactions that matter. Your risk surface is anywhere the confidentiality, integrity, or availability of your data or transactions are at risk; that could be within your own systems or the systems of your third parties that are processing your data.
We may never know if Rocktop Partners / Ascension assessed the information security risk capabilities of OpticsML. If they didn’t, they were grossly negligent in transferring the information without doing so. The purpose of third-party information security risk management programs is to ensure that your vendors implement and maintain information risk management programs sufficient to protect the assets with which they are entrusted. Good security cannot be assumed—it must be continuously verified.
Rocktop Partners acquired the loans from a wide range of financial institutions. It happens all the time: loans, like stocks, are simply financial instruments that are traded by investors. Consumers only choose the institution with which they originate the loan; beyond that, the originating bank can sell the loan to whomever they choose. Under the Truth In Lending Act (12 CFR Part 26), the acquirer of the loan must notify the consumer within 30 days of acquiring the loan.
Is the originating financial institution responsible for ensuring that the company acquiring the loan has adequate information security sufficient to protect the confidentiality of the loan information? What if the acquiring firm sells it to another firm; should the originating financial institution be responsible for that as well?
The Office of the Comptroller of the Currency (OCC) has established strong regulations mandating that banks manage third-party information security risk (OCC Bulletin 2013-29). The OCC’s definition of “third-party” is quite broad, including “any other business arrangements where the bank has an ongoing relationship.” As such, it could be interpreted that the financial institutions were responsible for ensuring that Ascenion had adequate information security controls in place.
Lesson: It isn’t just traditional third-party hosting and service providers that can impact financial institution's customers: financial institutions need to pay attention to their partners, too. OCC Bulletin 2013-29 states that financial institutions are responsible for managing the risk associated with any ongoing relationship. Partners to whom institutions sell mortgage loans arguably fall under the category of a third party, according to the OCC’s definition.
At the end of the day, it is reasonable for consumers to expect that, if their financial institution sells their loan to another firm, it will take steps to ensure the entity to which they are transferring the information has an information security program sufficient to reasonably ensure the security of the information. After all, it is the financial institution that has the choice to sell, not the consumer.
The OCC has the mission of “ensuring a safe and sound banking system for all Americans.” That mission includes ensuring the privacy of consumer financial information. The OCC’s financial information privacy rules enforce the requirements of the 1999 Gramm Leach Bliley Act.
The OCC’s third-party risk management rules issued to regulated financial institutions, OCC Bulletin 2013-29, are expansive enough to cover any entity with which a bank has an ongoing relationship. However, financial institutions can only do so much. In this case, Rocktop Partners was not breached, but a rather a third party of Rocktop Partners.
Unfortunately, information security regulations do not expand to all corners of the financial industry. While banks are strongly regulated, secondary players in the financial market, like Rocktop Partners, are not subject to the same rules. In an interview with the Washington Post, banking regulator Paul Benda lamented about the lack of regulation of the secondary financial markets, stating, “If you receive this loan data, well gosh darn it you need to protect it.”
Lesson: During the lifetime of a mortgage, it will likely be held by multiple organizations. The regulatory mandated protection of that information depends on who holds the mortgage. Banks are highly regulated, but everyone else? Not so much. Regulators need to rationalize their rules: if it is the protection of the consumer they have in mind, then everyone who holds the data should be subject to the same rules.
In the end, the consumer is given only vague answers and is left anxious about identity theft. All they get in return for the data lost is a couple years of free credit monitoring.
Lesson: Consumers just get screwed. When the investment firm gets breached due to poor information security risk management, all the consumer gets is a pile of identity theft anxiety (and reality) and $100 worth of identity theft monitoring that expires in a couple years. It’s not even close to fair.
The system is broken. Why? Because the only entity really harmed in this data breach (and any company data breach) is the consumer. They are entirely blameless, and yet they continue to bear the true cost of the breach.
Responsibility lies with every entity in the chain. Everyone had a job to do, but we only have enough information to know that OpticsML didn’t do their job.
- OpticsML has primary responsibility—they stored the information on a publicly-accessible file system.
- Rocktop Partners/Ascension is responsible—it is their data, and OpticsML, as their vendor, is an extension of their company. As I like to summarize, “you can outsource your systems and services, but you can’t outsource your risk.”
- Financial Institutions are responsible—it was the job of the financial institutions to ensure that Rocktop Partners had an effective information risk management program prior to selling them their customers’ loans and related data. Part of effective risk management is having an effective third-party security risk management program. Did the institutions assess Rocktop’s information security program? Perhaps. But it wasn’t enough.
- Regulators are responsible—there is a big gaping hole in the regulations. Banks, particularly big banks, face tremendous scrutiny while secondary financial market firms are subject to little if any information security scrutiny. The regulatory requirements should be modified to protect the consumer, regardless of who holds the data.