Mortgage players report series of data breaches

Malware, phishing and a massive zero-day incident hit mortgage players this summer, attacks which compromised the personally identifiable information of thousands of consumers. 

The companies in public notices revealed hacks affecting as few as around 1,200 customers and as many as about 7,500 clients. The firms said there was no evidence PII, including loan documentation and Social Security numbers, had been misused. 

Outside of the individual attacks, Planet Home Lending said it also suffered collateral damage from a ransomware gang's vendor software breach in June which feds say affected over a thousand companies, including banks and non-bank lenders. Hackers in that attack found a previously undiscovered vulnerability in a file transfer software.

The recent spate of hacks pale in comparison to mortgage breaches in recent years impacting millions of consumers, but are a reminder of the persistent cyber threat. Data breaches cost financial services firms this year on average almost $6 million. Reeling mortgage businesses are also often saddled with class action lawsuits. 

The activity coincided with rising mortgage fraud risks this summer, compounding already elevated origination costs amid historic-low business. 

Planet Home Lending and Mutual of Omaha Mortgage, another affected lender, declined to comment, while none of the other impacted companies responded to requests for comment.

Each firm provided its affected customers with 12 to 24 months of complimentary credit monitoring and identity theft restoration services from either Experian or IDX, according to notices with the Office of the Maine Attorney General.

Home builder Lennar Corp. had the largest publicly disclosed breach among industry firms this summer, with the SSNs of 7.448 consumers exposed in a July hack. The company discovered the unauthorized activity within its system July 20, the same day it began, and notified law enforcement and cyber security experts. Lennar notified its consumers of the unspecified type of hack last week. 

Scottsdale, Arizona-based V.I.P. Mortgage was the victim of a malware attack last December, according to its September notice. The unnamed hacker may have accessed SSNs for some of the 5,415 clients the lender notified. VIP completed its investigation into the hack in August. 

Insurer Mutual of Omaha meanwhile told 1,193 of its mortgage consumers last month their PII and loan numbers were involved in a phishing attack. The email incident, according to a Maine notice, lasted four days in early June. 

"Upon discovery, Mutual Mortgage took immediate action to change the employees' Microsoft account passwords to prevent further access to the Microsoft accounts, as well as blocked the identified phishing addresses to prevent further occurrences," wrote Terry Connealy, president of Mutual of Omaha Mortgage, in a notice to customers. 

Planet Home Lending was caught in the same zero-day attack that already ensnared customers of RoundPoint Mortgage and PennyMac. A ransomware gang found an undiscovered vulnerability in a file transfer software, MoveIt, which is used by numerous financial services firms. SSNs of Planet Home Lending consumers were exposed in the three-day breach in early June, the lender said.

"We have also installed all patches released by Progress Software, and implemented additional technical safeguards to help prevent similar incidents in the future,"  read the Aug. 31 notice by Planet. 

Flagstar Bank, the victim of two massive breaches in recent years, said 837,390 of its customers were exposed in the vendor breach. It's unclear if any of the depository's mortgage clients were involved, and the bank only identified SSNs as being compromised.