A large breach of mortgage data that has exposed the personal financial information of tens of thousands of borrowers raises key consumer questions: What happens to all those disclosures we make after we apply for and obtain a home loan — our tax returns, Social Security numbers, credit card accounts, bank-account numbers and detailed summaries of our assets?
Where does it all go after the closing? If your mortgage or servicing rights subsequently are sold and resold to other companies, what happens to all that intimate information? Does it stay securely padlocked away somewhere, far out of the reach of criminals?
You would hope so, but consider this: 54,000 mortgage borrowers recently had their financial data exposed to identity thieves trolling around on the Internet. Borrowers had no hint that they were vulnerable, and many may still not know that a breach occurred.
There was no lock on the online files that contained their private data. Stunningly, their information was not protected by even a simple password. It’s not known at this point whether, or how much, personal data was accessed, but the files reportedly were exposed for two weeks or more. Some borrowers could find that criminals already have used their information to establish new credit card accounts, purchase merchandise, even apply for new mortgages — creating havoc for the victims.
First reported by trade publication TechCrunch, the breach involved loans originated by several companies — Wells Fargo; a unit of Citigroup; Capital One; HSBC Life Insurance; and others. The loans were acquired by investment management firm Rocktop Partners LLC, based in Arlington, Texas. Rocktop’s affiliate, Ascension Data & Analytics, hired a New York-based company, OpticsML, which allegedly made a “server configuration error” that led to the exposure of the documents, according to an email sent to me by Sandy Campbell, Ascension’s general counsel.
OpticsML, meanwhile, has gone off-line. As of late last week, its phone number had been disconnected, and the contact information listed on its website was nonfunctional. In a statement for this column, a company spokesman explained that, “In an abundance of caution, we have taken down our website and servers while we conclude our investigation of the unauthorized access.”
Campbell told me that Ascension is “in regular contact with law-enforcement investigators” regarding the breach and “is working with vendors” to send notification letters to affected mortgage borrowers. It will also provide “credit monitoring, call-center support and identity-restoration services at no cost.”
The banks whose loan clients might have been injured made it clear in statements that they had no direct involvement in the data breach because they neither own nor service the mortgages. Nonetheless, a Citibank spokesman said it is “working to identify potentially affected customers” and has “instituted a forensic investigation.” A spokeswoman for Wells Fargo told me, “We have no indication that any Wells systems or service providers were compromised,” and the bank views the “security of our customers’ personal information” as “our priority.” Industry experts were aghast at the breach. Paul Benda, senior vice president for risk and cybersecurity at the American Bankers Association, said “banks have strict data security protocols in place … and protect their [own] data well.” So, too, should companies that acquire mortgages originated by banks and resold in the secondary market. “If you receive this loan data, well gosh darn it you need to protect it,” Benda added.
Rick Hill, vice president of industry technology for the Mortgage Bankers Association, called for new “uniform federal standards” for protecting consumers’ data that would apply in instances like this.
The underlying problem here is that the personal information we all supply to get a home mortgage frequently does not remain with the lender that made the loan. Mortgages routinely are pooled and sold to investors in a vast secondary market; those investors may re-sell chunks of their portfolios to other investors. After a couple of transactions, the financial data backing an individual mortgage is far removed from the bank or mortgage company that originated it. As a general rule, mortgage investors take pains to store client financial data on platforms that include significant security protections. But as this new breach illustrates, lapses can occur.
What to do if you find yourself a victim? Pretty much the same things you did when Equifax got hacked: Consider taking advantage of any free credit-monitoring services you are offered, and consider freezing or locking your credit reports.