Study Shows 45 Mortgage Lenders Have Risky Information Sharing Practices

Facts: On March 4, a new study by a cybersecurity firm indicates that many large and small mortgage lenders are being careless with customers’ personal and financial data.

A probe by Halock Security Labs of 63 U.S. mortgage lenders found that 45 allowed risky information-sharing practices such as letting applicants send personal and financial information over unencrypted email as attachments. (You should be using https at a minimum.) Eight out of the 11 largest U.S. lenders allowed the same unsecure practices as smaller lenders, the study found.

Halock also found that nearly 70% of surveyed lenders encouraged faxing sensitive data–a practice which reduces risk but still isn't as secure as encryption. More than 40% gave customers the option of sending sensitive information by postal mail, but only 12% offered a secure email portal.

One anonymous lender told Halock that less-than-secure practices were easier for lenders as well as customers. "Oftentimes it was easier to have my clients send documents like W-2's through email because everyone has access to an email account," the lender says. "Most of us didn’t want to take the time to explain what a secure portal was and how to use it. Everyone understands what email is."
But Halock senior partner Terry Kurzynski says convenience was no excuse for sloppiness with customers' personal data. 

"We understand the business need to smooth the way for our customers, but there are many secure file transfer technologies that are both easy for customers to use, and safe from network snooping. And as the public becomes more demanding of their banks to ensure privacy and security, it’s no longer feasible to rely on unsecure email for the transfer of financial documents," Kurzynski says. "Any type of weak link in a system involving sensitive information exposes people to unnecessary risk. It takes months to recover from an identity theft and minutes to log into a secure portal. Do the math.”   (mpa3414)

Moral: Without the identity theft and safeguarding privacy manuals whether purchased from us or others you risk federal violations by CFPB, state violations by the licensing agency of your state such as CALBRE, DFI, etc., personal liability by the consumers. As you can see from the above study, 45 out of 63 had issues, meaning they did not have or ignored the information in the manuals. One of the first things we look for in an audit is the "https". If you are taking in consumer financial information and the determining who will be audited. How long the screen remains on when a loan officer is not in attendance and the paper in the trash. 

Two Arrested for Hacking Into Servers and Stealing Borrower Information

Facts: On Feb. 28, two men were charged with hacking into the computer servers of a major U.S. mortgage broker to steal personal information and use it to siphon funds from the brokerage accounts of thousands of victims.

Jason Ray Bailey and Victor Alejandro Fernandez were charged in a two-count indictment with conspiracy to commit wire fraud and computer hacking.

According to charging documents, both men are part of a Tijuana-based conspiracy that hacked the computer servers of a mortgage broker and obtained mortgage applications containing customers' personal information, including names, birth dates, Social Security numbers, addresses, assets, tax information and driver's licenses. Approximately 4,200 customers had their information stolen between December 2012 and June 2013, and the conspiracy dates back to July 2011, the charging documents say. The hackers illegally accessed Blitzdoc, a program the mortgage company used to store the personal information of its customers.

Members of the conspiracy used victims’ stolen information to impersonate the mortgage customers, open credit lines in their names, and steal their assets, according to the charging documents. For example, members of the conspiracy identified multiple victims' brokerage accounts and fraudulently took control of the accounts by first calling the brokerage companies and providing the victims' personal identification information and then changing the victims' passwords and contact information. Once the defendants gained control of the accounts, members of the conspiracy allegedly wired funds from the victims’ brokerage accounts to coconspirators' U.S. bank accounts in the San Diego and Calexico areas. Several of these wires were over $20,000 and $30,000 each. (usattycasd22814)

Moral: And you thought the mortgage originator had a good firewall to protect your personal information. Since you are entitled to a free credit report from each bureau once a year, do it once every four months, one from each bureau. Better safe now than sorry later.

"Real Housewives of New Jersey" Couple Pled Guilty to Mortgage Fraud and More

Facts: Teresa and Giuseppe "Joe" Giudice, who were featured on the reality television show "Real Housewives of New Jersey" have changed their respective pleas to guilty from not guilty. They were originally accused of dozens of charges including bank fraud, wire fraud and bankruptcy fraud.

The couple is accused of exaggerating income while applying for loans before the show was put on TV in 2009, then hiding their fortunes in a bankruptcy filing after their first season aired.

They are also accused of submitting fraudulent mortgage and loan applications and fabricating tax returns and W-2 forms. Joe Giudice also allegedly failed to file federal tax returns for several years beginning in 2004. (ap3414)

Moral: Busy little beavers, weren’t they? Usually based upon my experience, if you do not file your tax returns for a set number of years, the federal agents come visiting. If it is a revenue agent it is generally civil. However, if it is a special agent it has gone criminal and they usually do not negotiate at that stage.

Two "Sovereign Citizens" of Georgia Found Guilty, Face 40 Years in Prison

Facts: Susan Lorraine Weidman and Matthew Lowery, two self-described "sovereign citizens" from Georgia are each facing up to 40 years after being convicted on mortgage fraud and racketeering.

The pair tried to take possession of houses they did not own. Both have proclaimed themselves "sovereign citizens," a movement which holds that the government holds legal authority only over those who consent to it. "Sovereign citizens" believe that by declaring their refusal to consent to government control, they exempt themselves from things such as taxes, mortgage payments and property laws. No "sovereign citizen" defense has ever been successful when adherents of the movement have been brought to trial.

In the Georgia case, Weidman entered a vacant home, changed the locks and filed false documents with the DeKalb County clerk claiming the house as her own. Lowery, meanwhile, also took up residence at a vacant home.

When Lowery's "ownership" was challenged by the bank that actually owned the home, Weidman sent a letter from a fictitious law firm, signed by a nonexistent lawyer on behalf of a wholly imaginary property-management company, threatening legal action against the bank's representatives.
"The ludicrous 'explanations' these defendants gave for going into vacant houses and trying to claim them as their own defies common sense, and the jurors saw that," said Cobb County, Ga., deputy chief assistant district attorney John Melvin. "Weidman went so far as to create a fictitious law firm and assume fake names. If she believed what she was doing was legal, as she claimed, she wouldn't have to lie about it."

A father and son who were indicted with Weidman and Lowery have already pleaded guilty. Giulio Greye and Ian Greye were sentenced to five and 10 years, respectively. (mpa3314)


The information contained herein is not legal advice. An attorney should be consulted if you desire legal advice.