[BreachExchange] Failure to Report Breach Costs Mortgage Lender $1.5m

Destry Winant destry at riskbasedsecurity.com
Mon Mar 8 10:35:57 EST 2021 

https://www.infosecurity-magazine.com/news/failure-to-report-breach-costs/

An American mortgage lender has shelled out $1.5m to resolve
allegations that it violated the New York Department of Financial
Services (NYDFS) Cybersecurity Regulation.

Residential Mortgage Services, Inc. (RMS), which is headquartered in
South Portland, Maine, was accused of failing to report a data breach
that occurred in 2019.

The breach was uncovered during an investigation of RMS carried out in
July 2020 by the NYDFS. The department found evidence that "a
substantial amount of sensitive personal data" had been exposed after
an RMS employee became the victim of a phishing attack.

By clicking on a malicious hyperlink on March 5, 2019, the employee
unknowingly gave a cyber-criminal access to their email account

Multi-factor authentication had been implemented at RMS, however the
employee responded to four separate access alerts sent from the MFA
application to their smartphone on March 5 by clicking their approval.

The following day, after the fifth such prompt for authentication, the
employee notified RMS's IT staff of the anomalous activity.

The NYDFS found evidence that RMS chose to keep the breach a secret
and did not look into what impact it may have had.

“Until prompted to do so by DFS in 2020, RMS failed to conduct an
investigation and identify the consumer data exposed,” stated the
department.

A further finding of the NYDFS investigation was that RMS had no
comprehensive cybersecurity risk assessment in place despite being
obliged to under the Cybersecurity Regulation.

“It is of paramount concern to protect all consumers as cyber threats
continue to surge during a vulnerable time,” said Superintendent of
Financial Services Linda Lacewell.

"DFS will continue to take nation-leading actions to ensure that our
licensees fulfill their cybersecurity duties, safeguarding the private
data of their New York customers, and all of the customers they serve,
no matter where they reside."

Under the terms of the settlement reached on March 3 between RMS and
the NYDFS, RMS has agreed pay $1.5m and to improve its existing
cybersecurity program so that it is in full compliance with the
Cybersecurity Regulation.

RMS operates in 21 American states including New York.

More information about the BreachExchange mailing list