Security researcher Jeremiah Fowler together with the Website Planet research team discovered an open and non-password protected database that contained 717,814 records and the Personally Identifiable Information (PII) of thousands of Canadian citizens. This data contained home mortgage loan related information that included names, phone numbers, email addresses, physical addresses, and more. Many of the records we saw appeared to be “mortgage leads”. These are records of individuals who want to buy a house, refinance, obtain an equity line of credit or purchase an investment property.
Upon further research there were multiple references to Canadian based 8Twelve Financial Technologies Inc. We immediately sent a responsible disclosure notice and 8Twelve acted fast and professionally by restricting public access within hours of our discovery.
According to a recent press release, “8Twelve streamlines the home financing process by providing its partners a one-stop financing solution for all their mortgage needs. 8Twelve’s proprietary technology platform INFIN8 identifies the best possible mortgage from Canada’s largest marketplace of bank, alternative, and private mortgage products”.
In the same press release the company stated that 8Twelve’s proprietary cloud platform called INFIN8 utilizes real-time analytics, AI, and workflow automation to identify the best possible financing solution from over 65 lenders and over 7000 mortgage products. We saw multiple references to the INFIN8 platform inside the publicly exposed database. It was possible that this was an end-to-end Customer Relationship Management (CRM) storage repository. The CRM system is what companies use to manage their customers and potential customers, and obtain visibility on different business processes. 8Twelve mortgage agents would be able to see who has applied for a loan and what was the stage or status of the lead, and make comments on the applicant’s situation or loan prospects.
What the Database Contained:
Total Number of Records Exposed: 717,814. The database contained one folder named “applicant” and five folders named “application”.
Records included applicant names, emails, phone number for work, home, and cell. Some records contained physical addresses, state and province. As most of the data could relate to a specific individual, data found in the records could be considered Personally Identifiable Information (PII).
In a random sampling of 10,000 records, the term “email” returned 18,382 results. Each record displayed contained 2 email addresses; one belonging to the applicant accompanied by a corresponding one from the 8Twelve agents who was assigned the lead. Nearly all common email services appeared in the data: Gmail 13,695, Yahoo 3,406, along with Outlook, iCloud, AOL, and smaller numbers of multiple other email providers.
Mortgage Leads from multiple Canadian provinces were collected in multiple folders marked as “Prod” (which we assume stands for “production”). The records appeared to indicate where the leads came from such as Facebook ads, referral, website, etc. Campaign ID numbers were also listed in the applicant files, which we may infer were for the purposes of internal tracking of sales and marketing effectiveness.
Applicants self submitted information about their own financial standing, in the form of their credit scores, bankruptcy, savings, finances, and other data to start the loan application process.. For credit evaluation purposes, mortgage agents may need to determine an applicant’s creditworthiness by disclosing the aforementioned financial information to an independent credit reporting agency or another source.
Records also included 8 Twelve Employee names, email addresses, and internal notes about the prospective loan or customer, indicating whether an applicant was credit-worthy or not.
Before working in the technology industry I was a licensed Real Estate Agent and Mortgage Loan Officer in the United States. Both of these jobs required education and licensing to navigate the complex laws and regulations Home buyers or those looking to refinance can be particularly vulnerable if they are not experienced in the loan application process. Buying a home is the single largest purchase that many people will ever make and it can be a stressful process. Buyers heavily depend on trusted financial professionals to navigate the rules and protect their interests during the loan process.
Mortgage leads contain the personal contact information of prospective home buyers and borrowers who are in need of financing or want to change their current loan for better terms also known as refinancing. Borrowers also can take loans against the equity of their homes when the home is worth more than they own. This is called a home equity line of credit or HELOC. I know from personal experience that loan applicants will often follow the instructions of their trusted mortgage advisors or provide unrestricted personal and financial information without asking many important questions to confirm the person they are giving their data to is actually who they say they are.
The credit bureau Equifax Canada reported that they flag between 15,000 and 24,000 suspicious mortgage applications monthly. Using a mortgage lead, a criminal would know how much the victim wants to borrow. They would also know how much money a victim wouldhave for a down payment, the victim’s investments, earnings, salary, assets, and possibly more. In essence, information from a mortgage lead would provide a comprehensive picture of an individual’s financial health.
It should be noted that although the records contained personally identifiable information, we did not see any social insurance numbers (SIN) in plain unencrypted text. A SIN number is a 9-digit number that you need to work and be paid in Canada and access government programs and benefits. SIN numbers are valued by malicious actors because they can be used to apply for credit (under someone else’s identity), or used to establish new fraudulent identities (via false documentation).
To obtain a valuable piece of data such as SIN, a criminal could potentially socially engineer the victim to provide this information voluntarily. We advise anyone to conduct due diligence on any individual who requests for SIN numbers, tax identification, or banking information. It is always better to be safe than sorry when it comes to data protection.
Very broadly, social engineering operates by persuading individuals to reveal valuable private information, based on slivers of information already available. Hypothetically a criminal could call the leads and say; “You applied for a loan and I wanted to tell you that you have been approved, we need you to make payment for the application fee, please provide me with your credit card number or bank account details and SIN so we can get the process started”. The victim would have no reason to doubt this was a legitimate call based on the fact that only the applicant and the mortgage company would know this information. Criminals could use social engineering to get as much information as they can to commit fraud or other financial crimes. It is not uncommon to talk with multiple people throughout the loan process. Thus, a stranger calling with insider knowledge could easily gain the trust of the victim to divulge additional information.
Identity theft is another potential risk that could allow criminals to commit mortgage fraud for title or obtain a second loan. This type of fraud happens when someone uses the stolen identity of the victim to change the title of the home to transfer ownership or get a new mortgage that the victim will have to repay. Anyone of any age can be a victim of fraud, but criminals often target senior citizens because they are generally more vulnerable, as they may not have family or friends to help them identify scams. Senior citizens tend to be more trusting of others as many of them are in cognitive decline.
Another risk is targeting vulnerable individuals who have financial problems and are facing foreclosure. A malicious actor could potentially use exposed information on credit-worthiness, to identify vulnerable individuals. Such individuals are often desperate to save their property and more susceptible to fraud. The criminals could pretend to provide debt relief and demand upfront fees or in some cases, even the title of the home.
Canada Appears to be lagging behind in terms of legislative protection for Data Protection and Privacy
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) has been around for over 20 years. Unfortunately, like many regulations of the digital world, legislative solutions such as the PIPEDA have not been able to keep up with the growth of technology and are often outdated or obsolete in their effectiveness. For example, PIPEDA in its present form is not designed to account for instances where one organization transfers personal data to another. Enforcement is also often weak.
With this backdrop, in the summer of 2022, Canada introduced the Consumer Privacy Protection Act (CPPA). The CPPA is very similar to the GDPR in Europe, and it was drafted to enhance the data protections under PIPEDA. The goal of CPPA is to strengthen the rights and privacy of individuals and their personal data. The law also created obligations for businesses and organizations who collect, use, or disclose personal information and imposes financial penalties for those who breach said obligations. The proposed CPPA imposes heftier penalties and fines in comparison to the current PIPEDA, in relation to data breaches by companies.
In June 2022 Bill C-27, (also known as the Digital Charter Implementation Act) was also introduced. The proposed Digital Charter Implementation Act relates to a legal framework to regulate consumer privacy, data protection, and artificial intelligence (AI) in Canada. It appears these proposals have not been formally enacted as of January 2023,, leaving a considerable gap in the data protection and digital privacy protections of Canadian consumers. An earlier bill C-11 introduced in early 2020 failed to pass due to the general election and dissolution of Parliament in British Columbia in the fall of 2020. In short, the efficacy of data protection and privacy measures in Canada appears to remain a work in progress.
As security researchers we never download or extract the data we discover, and only take a limited number of screenshots that are redacted to document the findings. It is unclear how many total individuals were affected in a sample we did not find duplicate emails and each record was an individual application. Our goal is data protection and cyber security awareness. We publish our findings for educational purposes and to raise awareness of data incidents. We imply no wrongdoing by 8Twelve Financial Technologies Inc. or that any customer data was ever at risk. It is unclear how long the database was exposed or who else may have had access to these records or if the authorities and applicants were notified as required under Canadian law.
Jeremiah Fowler is a Security Researcher and co-founder of Security Discovery. Jeremiah began his career in security research in 2015 and has a mission of data protection. He has helped identify and secure the data of millions of people around the world. His discoveries have been covered in Forbes, BBC, Gizmodo, among others. Security and responsible disclosure are not only a passion, but a way of protecting our digital lives.