TheMReport — News and strategies for the evolving mortgage marketplace.
Issue link: http://digital.themreport.com/i/895084
TH E M R EP O RT | 15 FEATURE the lender to be compromised for data breaches to occur. It's impor- tant borrowers understand not to send documents via email, not to send money via wiring instruc- tions if you haven't called and talked to someone and verified that it's real," said Jones. Threat 4: Privilege Misuse W hile strangers typi- cally execute the hacking techniques described above, companies also need to prepare themselves for data breaches that originate within their own companies. As Bloodgood neatly phrases it, never underestimate "simple malice." According to the Verizon's data breach report, 25 percent of breaches involved internal actors, while 2 percent involved partners. "Poor internal controls make it easy for dishonest employees, vendors, and even cleaning people to steal data," said Bechtle. While companies need to be aware that disgruntled or recently terminated employees may release data if proper exit protocols aren't strictly followed, Bechtle also warns against employees being careless with data due to ignorance of the possible consequences. "Some examples include leaving document files out in the open un - secured in your office, not masking sensitive data on computer screens, granting improper access to sensitive data to nonessential employees, and sharing data with third parties that do not have proper security controls in place," said Bechtle. Threat 5: Physical Theft and Loss A s Bechtle noted, at times steal- ing data is a crime of opportu- nity when hard-copy files with im- portant financial information are left lying around. In this internet-heavy day and age, physical data threats are often overlooked (according to Verizon it only represents 8 percent of the tactics used to comprise data), but it only takes moments for thieves to snatch data that is provided in a physical source. In addition to taking data that is in plain sight, would-be thieves who are granted access to your workstation also have opportuni - ties to install key loggers or data skimmers, disable controls, and seek other ways to infiltrate your systems in person. Like the other forms of data breaches described, education is once again crucial to cutting down on the most common types of physical data breaches that compa - nies suffer. "People are still the most difficult factor to control and the weak- est link in the security chain. We must be diligent about training and testing our people, not just once or even periodically but on an ongoing basis," said Hougaard. Perhaps the only silver lining of being a victim of a physical data attack is that according to Verizon, these types of data breaches are often discovered much quicker—in minutes, hours, or days, rather than in months. In addition to malicious ex - amples, physical theft can also occur due to carelessness or loss on the part of the data owner. "The majority of confirmed [physical] breaches involve lost documents (several with record-loss totals in the thousands). … This requires adjusting corporate culture to not print out sensitive data if not necessary for business operations, or tokenizing data when printing is required. This will also help with disposal errors covered in another pattern," the Verizon study advised. Protecting Against the Unknown Threat W hen it comes to "known unknowns," we are aware When data breaches that impact millions of consumers occur, it can be difficult to see beyond the big numbers to see how individual homeowners are impacted. Joe Bowerbank, President of Profundity Communications, Inc., is used to being enmeshed in the ins and outs of the mortgage industry through the clients he represents. However, Bowerbank found himself on the other side of the equation when thieves who accessed the info he and his wife provided to mortgage lenders while shopping for a loan stole his identity. Bowerbank shares his story as a cautionary tale to other homebuyers, and a reminder to mortgage professionals the true toll that consumers take when data is breached. M // On average, how would you summarize the data-protection methods taken during your loan application process? When I was shopping for a favorable loan rate, all but one of the lenders I was looking at were using email to receive tax returns, W2s, financials, drivers' licenses, account details, and other sensitive information. I knew email wasn't safe but a couple of properties went on the market that were of high interest and I had to move quickly in order to get a preapproval letter and make an offer, so I went with these requests. Several lenders wanted me to drop off hard copies of my business and personal tax returns, as well as all of my financial and bank statements. Just leave them at reception, they said though the files were completely unsecure and vulnerable. One company that requested this was a top-three credit union that after they made copies of my tax returns, returned them out of order and with pages missing. The other company was a well-known bank that requested all email and hard copies. Big mistake on my part. M // How did you first learn your data had been hacked? A few of months after the loan-application process, I received a credit card bill from Discover. I've never had a Discover card. I knew instantly what happened. And then the cleanup process began, working with the credit bureaus and the companies I now owed money to. M // How did the release of your information impact you long term? I felt the impact again a few years later when I tried to buy another property that I really wanted. My credit was a big issue. Having my identity stolen completely interfered with getting the loan and striking while the iron was hot. Someone else got the property in about a week and a half while I was still scrambling. When the breach first occurred, I spent a few hundred dollars on LifeLock ® but all that really does is notify you when the bad guy does something with your information. The fact is that my information is still out there and I'm told that it will eventually be resold on the black market at some point, so while all the long-term ramifications are yet to be seen, I'm probably going to go through this experience again.