[BreachExchange] Latest credit breach exposes mortgage data for thousands of borrowers

[Destry Winant]

https://www.chicagotribune.com/classified/realestate/ct-re-0210-kenneth-harney-20190210-story.html

A large breach of mortgage data that has exposed the personal
financial information of tens of thousands of borrowers raises key
consumer questions: What happens to all those disclosures we make
after we apply for and obtain a home loan — our tax returns, Social
Security numbers, credit card accounts, bank-account numbers and
detailed summaries of our assets?

Where does it all go after the closing? If your mortgage or servicing
rights subsequently are sold and resold to other companies, what
happens to all that intimate information? Does it stay securely
padlocked away somewhere, far out of the reach of criminals?

You would hope so, but consider this: 54,000 mortgage borrowers
recently had their financial data exposed to identity thieves trolling
around on the Internet. Borrowers had no hint that they were
vulnerable, and many may still not know that a breach occurred.

There was no lock on the online files that contained their private
data. Stunningly, their information was not protected by even a simple
password. It's not known at this point whether, or how much, personal
data was accessed, but the files reportedly were exposed for two weeks
or more. Some borrowers could find that criminals already have used
their information to establish new credit card accounts, purchase
merchandise, even apply for new mortgages — creating havoc for the
victims.

First reported by trade publication TechCrunch, the breach involved
loans originated by several companies — Wells Fargo; a unit of
Citigroup; Capital One; HSBC Life Insurance; and others. The loans
were acquired by investment management firm Rocktop Partners LLC,
based in Arlington, Texas. Rocktop's affiliate, Ascension Data &
Analytics, hired a New York-based company, OpticsML, which allegedly
made a "server configuration error" that led to the exposure of the
documents, according to an email sent to me by Sandy Campbell,
Ascension's general counsel.

OpticsML, meanwhile, has gone off-line. As of late last week, its
phone number had been disconnected, and the contact information listed
on its website was nonfunctional. In a statement for this column, a
company spokesman explained that, "In an abundance of caution, we have
taken down our website and servers while we conclude our investigation
of the unauthorized access."

Campbell told me that Ascension is "in regular contact with
law-enforcement investigators" regarding the breach and "is working
with vendors" to send notification letters to affected mortgage
borrowers. It will also provide "credit monitoring, call-center
support and identity-restoration services at no cost."

The banks whose loan clients might have been injured made it clear in
statements that they had no direct involvement in the data breach
because they neither own nor service the mortgages. Nonetheless, a
Citibank spokesman said it is "working to identify potentially
affected customers" and has "instituted a forensic investigation." A
spokeswoman for Wells Fargo told me, "We have no indication that any
Wells systems or service providers were compromised," and the bank
views the "security of our customers' personal information" as "our
priority." Industry experts were aghast at the breach. Paul Benda,
senior vice president for risk and cybersecurity at the American
Bankers Association, said "banks have strict data security protocols
in place ... and protect their (own) data well." So, too, should
companies that acquire mortgages originated by banks and resold in the
secondary market. "If you receive this loan data, well gosh darn it
you need to protect it," Benda added.

Rick Hill, vice president of industry technology for the Mortgage
Bankers Association, called for new "uniform federal standards" for
protecting consumers' data that would apply in instances like this.

The underlying problem here is that the personal information we all
supply to get a home mortgage frequently does not remain with the
lender that made the loan. Mortgages routinely are pooled and sold to
investors in a vast secondary market; those investors may re-sell
chunks of their portfolios to other investors. After a couple of
transactions, the financial data backing an individual mortgage is far
removed from the bank or mortgage company that originated it. As a
general rule, mortgage investors take pains to store client financial
data on platforms that include significant security protections. But
as this new breach illustrates, lapses can occur.

What to do if you find yourself a victim? Pretty much the same things
you did when Equifax got hacked: Consider taking advantage of any free
credit-monitoring services you are offered, and consider freezing or
locking your credit reports.