Vulnerabilities in Equifax's The Work Number raise new security doubts
Recently exposed security vulnerabilities in an Equifax tool used extensively in the mortgage industry are raising new questions about the reliability and veracity of the beleaguered credit bureau's employment verification service.
Consumer data stolen in Equifax's massive data breach earlier this year could be used to access employment history and salary data collected by The Work Number, according to a report by cybersecurity journalist Brian Krebs.
While access to The Work Number's browser-based portals is protected by various authentication measures, much of the data needed to gain access can be found online, according to Krebs.
"Successful validation to the system produces two sets of data: An employee's salary and employment history going back at least a decade, and a report listing all of the entities…that have previously requested and viewed this information," Krebs wrote.
Many of the vulnerable Work Number web pages were taken down for maintenance after the report was published. Equifax did not respond to NMN's repeated inquiries about The Work Number vulnerabilities or the timing of the website maintenance. (Update: Equifax restoring The Work Number portal with beefed-up security)
The mortgage industry uses The Work Number to verify borrower employment information during underwriting. Its automated tools save lenders time by eliminating the need to call employers directly to get borrowers' salary information and is integrated in many widely used mortgage technology platforms, including loan origination systems and the automated underwriting systems of Fannie Mae and Freddie Mac.
The Work Number is also the exclusive vendor for lenders to receive representation and warranty waivers on verification of employment data in Fannie Mae's Day 1 Certainty program.
Fannie Mae has seen no sign of the data breach or the vulnerabilities exposed in The Work Number affecting its integrations between Equifax and Fannie's Desktop Underwriter AUS, said spokesman Pete Bakel. But the agency is continuing to assess and monitor all its interactions with Equifax.
Employers opt in to providing their workers' salary information to Equifax. In most cases, individuals have little-to-no say in whether their data is shared, and many large employers exclusively use the service for VOE requests.
It's unclear whether the vulnerabilities exposed in The Work Number or website maintenance have affected lenders' ability to use the service for current mortgage applicants. And it remains to be seen whether these issues will prompt employers to reconsider whether to provide their workers' salary data to Equifax in the future — a move that could help employers better control their risk exposure, but add time and expense for lenders already grappling with costly underwriting processes.
But Equifax's ongoing challenges point to broader data security risks that consumers, lenders, their vendors, and government officials all must work to address, said Curtis Knuth, executive vice president at National Credit-reporting System, a provider of tax and employment verification services.
"At the end of the day, when it comes to portals, the more doors you have available to folks, the greater the risk," he said.
There are parallels between the security concerns that Equifax is wrestling with and others that the government has faced with securing consumers' tax data, Knuth noted. Legislative efforts are under way in both cases aimed at addressing security concerns.
The breach at Equifax reminds lenders that they need to double-check the security of any portal through which they transmit sensitive borrower information, said Dan Jones, vice president of technology and sales support at Churchill Mortgage.
"I think Equifax is indicative of something we knew all along. At some point everyone's data is going to be breached in some way shape or fashion," he said. "We need secure email, document uploads and portals."
Separately, Equifax said it recently discovered and removed malicious software code from a consumer-facing website that provides access to credit reports and dispute resolution tools.
"The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor's code running on an Equifax website was serving malicious content," Equifax spokesman Wyatt Jefferies said in an email. "Since we learned of the issue, the vendor's code was removed from the web page and we have taken the web page offline to conduct further analysis."
"Equifax can confirm that its systems were not compromised and that the reported issue did not affect our consumer online dispute portal," the statement adds.
The Work Number is offered through Equifax's Workforce Solutions division. Its president, Rodolfo Ploder, is one of three senior executives who sold Equifax stock worth nearly $2 million days after the breach was discovered, but before it was made public. The Department of Justice is said to be investigating whether the transactions violated insider trading laws. Equifax claims the executives were not informed of the breach.