What happens to data when mortgage is resold?
WASHINGTON — A large breach of mortgage data that has exposed the personal financial information of tens of thousands of borrowers raises key consumer questions: What happens to all those disclosures we make after we apply for and obtain a home loan — our tax returns, Social Security numbers, credit card accounts, bank-account numbers and detailed summaries of our assets?
Where does it all go after the closing? If your mortgage or servicing rights subsequently are sold and resold to other companies, what happens to all that intimate information? Does it stay securely padlocked away somewhere, far out of the reach of criminals?
You would hope so, but consider this: 54,000 mortgage borrowers recently had their financial data exposed to identity thieves trolling around on the Internet.
There was no lock on the online files that contained their private data. Stunningly, their information was not protected by even a simple password. It’s not known at this point whether, or how much, personal data was accessed, but the files reportedly were exposed for two weeks or more.
First reported by trade publication TechCrunch, the breach involved loans originated by several companies — Wells Fargo; a unit of Citigroup; Capital One; HSBC Life Insurance; and others. The loans were acquired by investment management firm Rocktop Partners LLC, based in Arlington, Texas. Rocktop’s affiliate, Ascension Data & Analytics, hired a New York-based company, OpticsML, which allegedly made a “server configuration error” that led to the exposure of the documents, according to an email sent to me by Sandy Campbell, Ascension’s general counsel.
OpticsML, meanwhile, has gone offline. A spokesman said that, “In an abundance of caution, we have taken down our website and servers while we conclude our investigation of the unauthorized access.”
Campbell told me that Ascension is “in regular contact with law-enforcement investigators” regarding the breach and “is working with vendors” to send notification letters to affected mortgage borrowers. It will also provide “credit monitoring, call-center support and identity-restoration services at no cost.”
The banks made it clear in statements that they had no direct involvement in the data breach because they neither own nor service the mortgages. Nonetheless, a Citibank spokesman said it is “working to identify potentially affected customers” and has “instituted a forensic investigation.”
Industry experts were aghast at the breach. Paul Benda, senior vice president for risk and cybersecurity at the American Bankers Association, said “banks have strict data security protocols in place ... and protect their (own) data well.” So, too, should companies that acquire mortgages originated by banks and resold in the secondary market. “If you receive this loan data, well gosh darn it you need to protect it,” Benda added.
Rick Hill, vice president of industry technology for the Mortgage Bankers Association, called for new “uniform federal standards” for protecting consumers’ data that would apply in instances like this.
As a general rule, mortgage investors take pains to store client financial data on platforms that include significant security protections. But as this new breach illustrates, lapses can occur.
What to do if you find yourself a victim? Pretty much the same things you did when Equifax got hacked: Consider taking advantage of any free credit-monitoring services you are offered, and consider freezing or locking your credit reports.