Pennymac, RoundPoint clients exposed to global data breach

Two mortgage companies this week joined the list of financial institutions and other businesses with customers exposed to massive data breaches in software that vendor Sovos Compliance used.

RoundPoint Mortgage and Pennymac's loan services affiliate said in government filings based on a template from Sovos that the vendor had recently notified the housing finance firms that some of their clients were among those impacted.

Customers affected receive information about what type of data the unauthorized third-party involved downloaded and access to two years of credit monitoring and identity restoration from Kroll Information Assurance, according to the filings.

"Pennymac has taken swift action to ensure that any individuals directly impacted were contacted. No Pennymac systems were compromised and we continue to monitor the remediation efforts," that company said in an emailed statement.

RoundPoint is in the midst of an acquisition and at the time its buyer reported second quarter earnings the deal had not yet closed due to pending state approvals.

None of the companies involved in the pending acquisition had provided additional or updated information about the deal's status or the data breach at deadline, outside of what RoundPoint filed with California about the latter.

The Golden State, which has particularly strict legal protections related to consumer privacy, requires businesses or state agencies to notify any resident if an authorized person is considered likely to have seen their unencrypted personal information.

If entities need to notify more than 500 California residents of a data breach, they must file a generic sample copy of the notices they are sending out with the state.

Neither RoundPoint nor Pennymac specified how many of their customers the breach affected, but the latter company noted that overall, the security issue impacted over 1,000 organizations and 60 million people globally.

Pennymac said it is continuing to monitor impacts of the breach of a file management program called MOVEit created by Progress Software that Sovos used.

"We remain diligent in maintaining the safety and security of non-public personal information," Pennymac said, adding that the commitment it has to this "extends past this particular incident."

In response to an inquiry, Progress emailed a statement attributed to a spokesperson for MOVEit, characterizing the breach as stemming from "a sophisticated multi-stage attack" on the file management program and related cloud technology.

"We worked quickly to provide initial mitigation strategies," the spokesperson said in an email.

Immediate responses to the attack included a patch that fixed the issue and notification to clients so they could protect their systems.

"We are committed to playing a collaborative role in the industry-wide effort to combat cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products," the spokesperson added.

Other mortgage servicers such as Cornerstone Capital Bank have also reported data breaches from separate security incidents recently.