Lat­est credit breach ex­poses mort­gage data of 54K bor­row­ers

Richmond Times-Dispatch - - THE NATION'S HOUSING -

Alarge breach of mort­gage data that has ex­posed the per­sonal fi­nan­cial in­for­ma­tion of tens of thou­sands of bor­row­ers raises key con­sumer ques­tions: What hap­pens to all those dis­clo­sures we make af­ter we ap­ply for and ob­tain a home loan — our tax re­turns, So­cial Se­cu­rity num­bers, credit card ac­counts, bank ac­count num­bers and de­tailed sum­maries of our as­sets?

Where does it all go af­ter the closing? If your mort­gage or ser­vic­ing rights sub­se­quently are sold and resold to other com­pa­nies, what hap­pens to all that in­ti­mate in­for­ma­tion? Does it stay se­curely pad­locked away some­where, far out of the reach of crim­i­nals?

You would hope so, but con­sider this: 54,000 mort­gage bor­row­ers re­cently had their fi­nan­cial data ex­posed to iden­tity thieves trolling around on the in­ter­net. Bor­row­ers had no hint that they were vul­ner­a­ble, and many may still not know that a breach oc­curred.

There was no lock on the on­line files that con­tained their pri­vate data. Stun­ningly, their in­for­ma­tion was not pro­tected by even a sim­ple pass­word. It’s not known at this point whether, or how much, per­sonal in­for­ma­tion was ac­cessed, but the files re­port­edly were ex­posed for two weeks or more. Some bor­row­ers could find that crim­i­nals al­ready have used their in­for­ma­tion to es­tab­lish new credit card ac­counts, pur­chase mer­chan­dise, even ap­ply for new mort­gages — cre­at­ing havoc for the vic­tims.

First re­ported by trade pub­li­ca­tion TechCrunch, the breach in­volved loans orig­i­nated by sev­eral com­pa­nies — Wells Fargo; a unit of Cit­i­group; Cap­i­tal One; HSBC Life In­sur­ance; and oth­ers. The loans were ac­quired by in­vest­ment man­age­ment firm Rock­top Part­ners LLC, based in Ar­ling­ton, Texas.

Rock­top’s af­fil­i­ate, As­cen­sion Data & An­a­lyt­ics, hired a New York-based com­pany, Op­tic­sML, which al­legedly made a “server con­fig­u­ra­tion er­ror” that led to the ex­po­sure of the doc­u­ments, ac­cord­ing to an email sent to me by Sandy Camp­bell, As­cen­sion’s gen­eral coun­sel.

Op­tic­sML, mean­while, has gone off­line. As of late last week, its phone num­ber had been dis­con­nected, and the con­tact in­for­ma­tion listed on its web­site was non­func­tional. In a state­ment for this col­umn, a com­pany spokesman ex­plained that, “In an abundance of cau­tion, we have taken down our web­site and servers while we con­clude our in­ves­ti­ga­tion of the unau­tho­rized ac­cess.”

Camp­bell told me that As­cen­sion is “in reg­u­lar con­tact with law en­force­ment in­ves­ti­ga­tors” re­gard­ing the breach and “is work­ing with ven­dors” to send no­ti­fi­ca­tion let­ters to af­fected mort­gage bor­row­ers. It will also pro­vide “credit mon­i­tor­ing, call­cen­ter sup­port and iden­tity-restora­tion ser­vices at no cost.”

The banks whose loan clients might have been in­jured made it clear in state­ments that they had no di­rect in­volve­ment in the data breach be­cause they nei­ther own nor ser­vice the mort­gages. Nonethe­less, a Ci­tibank spokesman said it is “work­ing to iden­tify po­ten­tially af­fected cus­tomers” and has “in­sti­tuted a foren­sic in­ves­ti­ga­tion.”

A spokes­woman for Wells Fargo told me, “We have no in­di­ca­tion that any Wells sys­tems or ser­vice providers were com­pro­mised,” and the bank views the “se­cu­rity of our cus­tomers’ per­sonal in­for­ma­tion” as “our pri­or­ity.”

In­dus­try ex­perts were aghast at the breach. Paul Benda, se­nior vice pres­i­dent for risk and cy­ber­se­cu­rity at the Amer­i­can Bankers As­so­ci­a­tion, said “banks have strict data se­cu­rity pro­to­cols in place ... and pro­tect their [own] data well.” So, too, should com­pa­nies that ac­quire mort­gages orig­i­nated by banks and resold in the sec­ondary mar­ket.

“If you re­ceive this loan data, well gosh darn it you need to pro­tect it,” Benda added.

Rick Hill, vice pres­i­dent of in­dus­try tech­nol­ogy for the Mort­gage Bankers As­so­ci­a­tion, called for new “uni­form fed­eral stan­dards” for pro­tect­ing con­sumers’ data that would ap­ply in in­stances like this.

The un­der­ly­ing prob­lem here is that the per­sonal in­for­ma­tion we all sup­ply to get a home mort­gage fre­quently does not re­main with the lender that made the loan. Mort­gages rou­tinely are pooled and sold to in­vestors in a vast sec­ondary mar­ket; those in­vestors may re­sell chunks of their port­fo­lios to other in­vestors.

Af­ter a cou­ple of trans­ac­tions, the fi­nan­cial data back­ing an in­di­vid­ual mort­gage is far re­moved from the bank or mort­gage com­pany that orig­i­nated it. As a gen­eral rule, mort­gage in­vestors take pains to store client fi­nan­cial data on plat­forms that in­clude sig­nif­i­cant se­cu­rity pro­tec­tions. But as this new breach il­lus­trates, lapses can occur.

What to do if you find your­self a vic­tim? Pretty much the same things you did when Equifax got hacked: Con­sider tak­ing ad­van­tage of any free credit-mon­i­tor­ing ser­vices you are of­fered, and con­sider freez­ing or lock­ing your credit re­ports.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.