Is Your Mortgage Data Safe?

Who knew that the year 2019 would start with such a bang for mortgage data breach! We owe the credit to Bob Diachenko off course - an independent security researcher who first discovered 24 million mortgage and bank loan documents lying exposed online without data protection. He was quick to report it to TechCrunch and then began the investigation.

Mortgage data that goes back to more than 10 years, containing highly sensitive personal information, including names, addresses, dates of birth, social security numbers, and other information was accessible on a server, running an Elasticsearch database for at least two weeks. With no password protection, the server gave complete access to everyone to read the massive cache of documents. If this wasn’t enough, the issue worsened on Thursday, 24th Jan.

In the original breach, the server contained mortgage documents that were converted into digital files through OCR.  These files though accessible for the past some weeks weren't easily readable.

However, on Thursday, TechCrunch found another unprotected and exposed server that stored some of the original mortgage and banking documents that would typically be needed for getting a mortgage. This included 23,000 pages of PDF documents of borrower applications and W-9 form and other highly sensitive personal information.

Independent security researcher Bob Diachenko and TechCrunch traced the source of the leaking database to a Texas-based data and analytics company, Ascension. When reached, the company said that one of its vendors, OpticsML, a New York-based document management startup, had mishandled the data and was to blame for the data leak. 

It turns out that data was exposed again — but this time, it was the original documents.

Diachenko found the second trove of data in a separate exposed Amazon S3 storage server, which too was not protected with a password. Anyone who went to an easy-to-guess web address in their web browser could have accessed the storage server and see — and download — the files stored inside.

Source: https://www.housingwire.com

The breach is now being further investigated by forensics and critical facts will be reported from over time. It’s a situation where you’d wish you could go back and set things right. Let’s face it, we live in a world where fraud and cybercrime are very prevalent and such scenarios just make it easy for them to steal identities, file false tax returns, get loans or credit cards.

All of this made me think ‘What is the extent of damage we are exposing our borrowers to in order to get ahead in the race of technology?’

Everyone today talks about AI, robotics, machine learning, big data, cloud … and the list can go on. But are we losing our balance because of jargon? Are we spending enough time evaluating what’s right for us and what’s not? Predictions have been in vogue for more than two decades that technology/robots/blockchain will take over the world and traditional players will be out of business. But is the traditional way of doing business obsolete yet? A deep dive into our everyday mortgage process will point out that it’s not. I am not negating the fact that technology has changed financial services, but hasn’t it caused enough hassles too? Cybercrime and fraud are rising every day. One can still manage the damage in certain non-financial industries, but can a lender today share the liability of putting their borrower’s financial information open to misuse? The answer is no. Then why are we so hungry and over excited about joining the technology bandwagon without understanding the risks associated with it? Lenders must understand what borrowers want and use technology to improve processes that are critical to enhancing the borrower experience. The mortgage industry today is losing sight of the critical factors that when done right can help them enhance their C-Sat – Security, face to face interactions, commitment to timelines, simpler applications, telephonic conversations, etc. Ellie Mae’s Borrower Insights Survey 2018 was helpful in sharing insights about what borrowers really want and need:

1. The top three in enhancing borrower experience: 1% - a faster process, 26.8% - a simpler application and 27% want more communication and face-to-face interaction.

A point that stands out in the chart is that we generally think that millennials want everything online. But that’s not true in the case of a mortgage. 37% millennials said that more face-to-face time with a lender would have improved their mortgage application experience.

2. Borrowers are still leaning towards a ‘fully in person’ mortgage: 44.7% applied for their last mortgage without any online intervention, whereas 21% applied using a combination of online and in-person and only 15% went for a fully online experience.

Yes, cloud storage may be a feasible option for mortgage lenders to reduce their IT and infrastructure costs, especially when the entire industry is walking on the path of cost-cutting. But is it the safest option?  Let’s look at some startling facts about the data breach that are bound to keep you awake at night for it's not only your borrowers' documents but your reputation that’s at stake. Also, the US ranks the highest in many parameters.

According to the 2017 Cost of Data Breach Study: Global Overview (Ponemon Institute, June 2017, Benchmark research sponsored by IBM Security)

• The average total cost of a data breach is $3.62 million - a significant increase in the Middle East (+.83), the United States (+.66) and Japan (+.52)
• Financial services the second highest industry with costly data breaches: $245 per lost or stolen record significantly higher than the average global cost of $141.
• Hackers and criminal insiders cause the most data breaches – 47% with an average cost of $156 to resolve such an attack. The US spent the most to resolve a malicious or criminal attack - $244.
• Malicious or criminal attacks primarily target the Middle East and U.S. organizations – 52% of breaches in the US were due to hackers and criminal insiders.
• The US paid the highest price for losing customers due to data breach: $4.13 million

So, what must lenders do? Technology, on one hand, is a need and on the other hand, data breach numbers are skyrocketing. What is the middle ground?

Three options – Build, buy or outsource. 

Build is easy to understand – it's your company, your resource, your servers, your control. But in the current mortgage market where rising costs are the biggest challenge, can lenders afford to invest in technology build? I think not. 

Let’s look at option 2 – Buy. It’s a bit tricky but an available option predominantly for larger lenders – acquire a company that has the technology and uses their product. A recent example – Fiserv's $22 billion deal to acquire First Data. Fiserv’s CEO Jeffery Yabuki says, “First Data has historically had a reputation of ‘big-box tech,’ but it has technology like Clover. First Data’s platform is advanced. It’s all cloud-based, and you don’t have to lug wires or cable around.” (source: www.paymentssource.com) Here, First Data’s cloud-based services are highly appreciated, and worth being trusted. Why? Isn't it simple – they are the masters in technology and control a third of the U.S. core banking market. 

Lesson to be learned – Trust the experts.

Option 3 is outsourcing. But outsourcing to mature/ robust/ experienced providers only. This according to me is applicable across the breadth of the lending industry. From big to small, every lender can outsource or in other words leverage readily available technology. But there is something that we must be extremely cautious about – who are we partnering with? Given the technology revolution, there are several players in the market with mind-boggling innovations. While most of them are mature tech companies, there exists a percentage of mom and pop shops/small start-ups who work on solutions/products more as time-based projects, try their hand and selling, and if unsuccessful wind up quickly moving on to the next venture – a more short-term plan rather than long them thinking. They will be less concerned or even aware of your information security needs, prone to careless manual errors or even cybercrimes. These are the ones you should keep away from. Make sure you optimize your working capital by partnering with the best. There are many such trusted companies in the market who have decades of experience in developing solutions specifically for lenders. They know your processes well enough to suggest where there may be a need for technology and where process reengineering can help you. These companies do not exist just to sign up any new account, but to truly help their customers with a solutioning mindset.

Coforge BPS have more than a decade of experience in working with leading US-based lenders, including some of the top 25 banks. Our suite of mortgage products and solutions are focused on helping lenders delight their borrowers with faster and smarter processes, on enhancing top-line, increasing efficiency across operations and ensuring optimum security with zero tolerance to non-compliance.

One of our latest innovation for mortgage origination is a true combination of both high-tech and high-touch elements. We use the latest in data intelligence, automation, and services to help lenders close faster, close more and reduce costs significantly. One of your peers (a top US lender) recently achieved 38% faster closing at 61% reduced operating costs. Click here to know how.

You can also reach us at CoforgeBPS@coforge.com and we’ll be happy to discuss your mortgage lending strategy.  Visit our website at https://www.coforge.com/bps/.