More than 70% of mortgage lenders may put personal data at risk – study

by Ryan Smith04 Mar 2014
A new study by a cybersecurity firm indicates that many large and small mortgage lenders are being careless with customers’ personal and financial data.

A probe by Halock Security Labs of 63 U.S. mortgage lenders found that 45 allowed risky information-sharing practices such as letting applicants send personal and financial information over unencrypted email as attachments. Eight out of the 11 largest U.S. lenders allowed the same unsecure practices as smaller lenders, the study found.

Halock also found that nearly 70% of surveyed lenders encouraged faxing sensitive data – a practice which reduces risk but still isn’t as secure as encryption. More than 40% gave customers the option of sending sensitive information by postal mail, but only 12% offered a secure email portal.

“When asked why a secure email portal was not offered to applicants several of the surveyed lenders responded that it was a matter of what the customer was ‘most comfortable with,’ ” Halock stated in a news release. “While these responses suggest that lenders prioritize their customers’ ease of use over their security, they also suggest an unawareness that their customers are losing confidence in their banks’ commitment to customer privacy.”

One anonymous lender told Halock that less-than-secure practices were easier for lenders as well as customers.

“Oftentimes it was easier to have my clients send documents like W-2′s through email because everyone has access to an email account,” the lender said. “Most of us didn’t want to take the time to explain what a secure portal was and how to use it. Everyone understands what email is.”

But Halock senior partner Terry Kurzynski said convenience was no excuse for sloppiness with customers’ personal data. 

“We understand the business need to smooth the way for our customers, but there are many secure file transfer technologies that are both easy for customers to use, and safe from network snooping. And as the public becomes more demanding of their banks to ensure privacy and security, it’s no longer feasible to rely on unsecure email for the transfer of financial documents,” Kurzynski said. ”Any type of weak link in a system involving sensitive information exposes people to unnecessary risk. It takes months to recover from an identity theft and minutes to log into a secure portal. Do the math.”


Is TILA-RESPA a good or bad thing long term?