Hackers infiltrated a "noncore system" of DocuSign and stole an undisclosed number of company's clients' email addresses, but no other personal data was taken.
The electronic signature provider discovered the breach during an investigation into a phishing scam, where the hackers attempted to trick recipients into opening a Word document that would install malicious software on their computer.
Mortgage companies, banks and other financial services firms should respond to the breach by stepping up the monitoring of their e-signature and e-vault providers.
"This is an example how important it is to vet your service provider and this also supports why the licensing model [for e-sign technology] is still very valid," said Kelly Purcell, managing director of the consulting firm eRelevant.
DocuSign reported "a separate noncore system that allows us to communicate service-related announcements to users via email" was accessed by a third party. Its core operating system apparently was not compromised.
No personal information such as names, physical addresses, passwords, Social Security and credit card numbers were obtained as a result of the breach. Plus customers' documents that were sent through the e-signature system were not accessed, the company said on its DocuSign Trust Center webpage.
It is unfortunate that DocuSign's data breach happened but it should not be a setback for the financial industry's use of electronic signatures and e-vaulting technology, Purcell said.
Lenders will likely have to step up their ongoing oversight of DocuSign, as the Consumer Financial Protection Bureau's policy holds financial institutions responsible for the activities of their vendors.
For data safety reasons, many companies would rather license their technology and bring it behind their own firewall rather than accessing it through the cloud, Purcell said.
If the lender uses a third-party platform they have very little control over certain vendor activities. Using programs on a license basis gives them the control.
"There needs to be as much emphasis on the security of a noncore system as to a core system when you're providing services for financial services companies and consumers," Purcell said.
Data security officers should want more information about what DocuSign's statement about a noncore system being involved really means, she said.