Earlier this year, a trove of more than 24 million financial and banking documents, was found online.
“…more than a decade’s worth of data, containing loan and mortgage agreements, repayment schedules and other highly sensitive financial and tax documents that reveal an intimate insight into a person’s financial life. But it wasn’t protected with a password, allowing anyone to access and read the massive cache of documents…”
The files were indexed into a free search engine which was exposed to the open internet. Why? Business Process Outsourcing (BPO). Large companies use “BPOs” to do work they don’t want do perform in-house. One of the most common uses of BPO in financial services is … data entry. Literally, looking at the image of a scanned document and typing it in to some other system.
Most banks and mortgage originators use BPOs. It saves them time and money. The problem is, it can also expose their customers’ data.
The BPO undoubtedly uses a search engine as part of their workflow automation. The bank originating the loan drops a bunch of related, scanned documents into some folder on some server. Those then get picked up by the BPO; a copy is made and indexed by the BPO’s search engine. This makes the document available for the employees of the BPO so they can do their work. The BPO’s workflow assigns each document to an available worker by passing them the URL of the indexed document. The worker reads it and type the values they see on the screen into the web application – probably a loan Origination System like Ellie Mae’s Encompass. When they’re done… well, that’s anyone’s guess. The bank probably tracks the completion of the work – i.e. how fast did it all get typed in.
They should have worried how long the shared document persisted, in this case.
The alternative is not to share a copy of the document. Using e-Share’s API, it takes one call to upload a file to your existing cloud storage (OneDrive, Dropbox, GDrive or Box) and return a URL that provides time-limited, view-only access to the file.
Share the link with your BPO, not the entire document!
Register for a demo to see this API in action, anytime.