The Federal Trade Commission has approved a settlement with a mortgage data analytics firm for a 2019 security lapse that exposed millions of sensitive mortgage documents containing the private information of thousands of Americans.
The settlement, announced late December, orders the Texas-based firm Ascension to strengthen its security practices and ensure that its vendors also maintain proper data security safeguards. The order comes two years after a TechCrunch investigation found that OpticsML, a New York-based vendor working for Ascension, left a database of highly sensitive financial data exposed to the internet without a password. No financial penalties were imposed as part of the settlement.
The FTC accused Ascension of failing to ensure that its vendors were complying with data security safeguards as required by the Gramm-Leach Bliley Act’s Safeguard Rule.
Much of the 24 million records exposed by the security lapse included names, dates of birth, Social Security numbers and other sensitive personal information that revealed intimate details of a person’s financial life. TechCrunch also found exposed bank account information and loan agreements. A data breach notice filed with the California attorney general’s office revealed credit files and driver’s license numbers were also exposed.
According to the FTC, more than 60,000 Americans were affected by the lapse.
OpticsML was hired by Ascension to convert written documents into computer-readable text, known as OCR. Both the original documents and the converted text were accessible from anyone who knew its IP address. The FTC found that the database was exposed for about a year, during which time the database was accessed more than 50 times, mostly from computers that appear to be located in Russia and China, the complaint said.
The order was finalized with the majority votes of two of the agency’s four remaining commissioners. FTC chair Lina Khan did not participate because Khan was not at the FTC at the time of the complaint, an FTC spokesperson told TechCrunch.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss the 20th anniversary of TechCrunch, and a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
FTC commissioner Rebecca Kelly Slaughter voted against the final settlement, arguing that the complaint “alleges only a rule violation” and fell short by not laying charges against the company. Prior to leaving the FTC to head the Consumer Financial Protection Bureau, then-FTC commissioner Rohit Chopra also criticized the federal agency for settling with Ascension and not its parent company, Rocktop Partners, because the settlement “misses the mark on identifying the responsible company.”
Spokespeople for Ascension and OpticsML did not immediately respond to requests for comment.
Millions of bank loan and mortgage documents have leaked online
