Breach shows vulnerability of mortgage data information
Kenneth R. Harney
WASHINGTON — A large breach of mortgage data that has exposed the personal financial information of tens of thousands of borrowers raises key consumer questions: What happens to all those disclosures we make after we apply for and obtain a home loan?
Where does it all go after the closing? If your mortgage or servicing rights subsequently are sold and resold to other companies, what happens to all that intimate information? Does it stay securely padlocked away somewhere?
You would hope so, but consider this: 54,000 mortgage borrowers recently had their financial data exposed to identity thieves trolling around on the Internet. Borrowers had no hint that they were vulnerable, and many might still not know that a breach occurred.
There was no lock on the online files that contained their private data. Stunningly, their information was not protected by even a simple password. It's not known at this point whether, or how much, personal data was accessed, but the files reportedly were exposed for two weeks or more. Some borrowers could find that criminals already have used their information to establish new credit-card accounts, purchase merchandise, even apply for new mortgages — creating havoc for the victims.
First reported by trade publication Techcrunch, the breach involved loans originated by several companies — Wells Fargo, a unit of Citigroup, Capital One, HSBC Life Insurance and others. The loans were acquired by investment-management firm Rocktop Partners LLC, based in Arlington, Texas. Rocktop's affiliate, Ascension Data & Analytics, hired a New York-based company, Opticsml, which allegedly made a "server configuration error" that led to the exposure of the documents, according to an email sent to me by Sandy Campbell, Ascension's general counsel.
Opticsml, meanwhile, has gone offline. As of late last week, its phone number had been disconnected, and the contact information listed on its website was nonfunctional. In a statement for this column, a company spokesman explained that, "In an abundance of caution, we have taken down our website and servers while we conclude our investigation of the unauthorized access."
Campbell told me that Ascension is "in regular contact with law-enforcement investigators" regarding the breach and "is working with vendors" to send notification letters to affected mortgage borrowers. It will also provide "credit monitoring, call-center support and identityrestoration services at no cost."
Kenneth R. Harney covers housing issues on Capitol Hill for The Washington Post Writers Group. ken harney@earthlink.net.