Steps mortgage lenders should take to protect their data

March 19, 2024 9:08 AM

A series of data breaches hit the financial services sector at the end of 2023 and into the new year, highlighting how vulnerable the mortgage industry can be to attacks from bad actors.

Millions of borrowers have had their personal identifiable information exposed, with Social Security numbers and bank account information shared to the dark web. These incidents have put mortgage stakeholders on alert regarding how they can protect their infrastructure going forward.

Companies recently impacted include: Loandepot, Mr. Cooper, Academy Mortgage, Fairway Independent Mortgage, Planet Home Lending, Fidelity National Financial and First American Financial Corporation.

Attacks have been carried out using third-party vendor vulnerabilities and other means, such as directly attacking companies through phishing, with spoofing emails. Bad actors have become more sophisticated, using generative artificial intelligence to mimic communications, making it harder to spot fakes, cyber security experts say.

These incidents not only hurt mortgage companies reputationally, but also financially. Loandepot and Mr. Cooper, both public companies, revealed the aftermath of being attacked amounted to millions in expenses, filings with the Securities and Exchange Commission show.

According to Ike Suri, CEO of FundingShield, there truly is a rise in cyber crime that has impacted the mortgage industry – it's not just conjecture. Some of it stems from lenders beefing up vendor reliance during the recent mortgage boom, in a push to speed up originations.

"Lenders and large institutions have always counted [attacks] as the cost of doing business and have wiped it under the rug," Suri said. "There was a spike [during the pandemic] and there continues to be a spike."

It is inevitable these attacks will continue, and as nefarious players get better at finding weak points in technology, there are steps mortgage companies should consider taking to protect their data and infrastructure going forward.

Third-party governance

As of late, the majority of attacks on mortgage companies have been perpetrated through third party vendor vulnerabilities, highlighting the importance of vendor risk management.

An example of a vulnerability that rocked the mortgage industry late last year is Citrix Systems' bug that resulted in attacks hitting Planet Home Lending, Academy Mortgage and Fairway Independent Mortgage, the lenders disclosed in filings.

The Citrix vulnerability was first discovered in August and the tech firm began releasing software updates in early October, according to the Cybersecurity and Infrastructure Security Agency. The exploit, known as "Citrix Bleed," allowed hackers to bypass multi-factor authentication to hijack user sessions for Citrix's NetScaler ADC and Gateway information security softwares.

AlphV and Lockbit, both prolific ransomware gangs, used this weak spot to access the PII of mortgage customers.

"You're only as secure as your weakest link," said Jeff Margolies, chief product and strategy officer, at security firm Saviynt. "If you think of a typical ransomware kill chain, it usually starts with gaining access to someone's endpoints, including a laptop or a phone. A lot of financial services institutions have done a good job of educating [employees] to block those things, but not all third parties have these practices, so it's easier to take advantage of a vendor."

To mitigate this going forward, Margolies recommends for lenders to tighten security protocols around third parties that might be connected to a company's network.

"Make sure you understand who your third parties are, make sure you're actively managing what they have access to, and when [it might give hackers access] to move laterally within your network," he said.

Lenders should also be aware when vendor's issue updates and patches to their systems, or they can risk having their systems breached.

Fairway, in a filing, pointed out it did not immediately implement a patch to a Citrix product it was using, opening up the door for nefarious actors to access customer data. In Massachusetts, 430 customers were impacted by the cyber attack, which exposed their Social Security numbers, bank account information and credit card numbers. If the update was done sooner, the hack may have been prevented.

"If there's not a robust environment in a company to invest in to keep up with quality, integrity and ensuring that updates are done in a timely manner, where nothing is exposed where there can be a backdoor entry…it leads to these kinds of situations," Suri said.

Suri believes the Consumer Financial Protection Bureau will soon be publishing more stringent regulations around third-party management.

Phishing gets a facelift with AI

Phishing is often the easiest avenue for a hacker to take to get into a mortgage lender's system, cyber security professionals say. But now the tactic is getting more sophisticated with the help of artificial intelligence.

"It's just the lowest hanging fruit," said Margolies. "It's the human factor and it's kind of a scale factor. If you have thousands of employees and you're 99.9% effective in convincing them to not be susceptible, there will always be that .1%. "Either phishing or smishing, which is phishing on SMS, can be used as a means to orchestrate a ransomware attack, said Caroline McCaffery, CEO of ClearOPS.

"Phishing is usually seen in the form of well-crafted emails that trick someone into clicking a link, and before, a lot of anti-phishing exercises were based on seeing where the tricks were in the words that were contained in the email," said McCaffery. " With generative AI, now [attackers] can create images that look exactly like that company, or so close that it tricks you. There are now no longer red flags that you would've seen otherwise."

McCaffery suggests turning off smart addresses if you're using Apple Mail.

When you do so, "almost 9 times out of 10, if not higher, you'll be able to catch a phishing attempt just by looking at the actual email address because it often is from a Gmail account not from a corporate email."

Additionally, McCaffery says turning off JavaScript in email can be a good step to protect yourself.

"That means you see all emails in plain text, but you can clearly see a phishing attempt when you do that," she added. "It is obvious within a few seconds, but that means you don't see rendered pictures, you don't see any of that sort of thing, but it is a great countermeasure for security."

Importance of in-house systems management

Having your in-house protocols in order may be one of the best ways to either prevent an attack, or be quick in reacting to one, those who work in the cyber security space say.

Specifically, there should be "strong policies of managing data systems," said Suri. "Lenders need to ensure they have very vigilant procedures in place for data protection and always be up to speed on going through exercises like penetration testing in order to ensure they have an airtight solution before anything is put into production."

Penetration testing, or a pen test, is an exercise in which a cyber security expert tries to find and exploit vulnerabilities in a company's computer systems.

"[Mortgage lenders] have stopped or dramatically stepped down their cyber spending due to the slow down," JT Gaietto, chief of staff at Digital Silence, wrote in an email. "A good pen test would help companies identify weaknesses in their portals, web applications, and other systems."

But if all else fails and a lender gets hacked, it is important to have a firm disaster recovery process, or a playbook in place that you follow.

"You have to be really well practiced in what to do in response to the attack, maybe you contact your insurance company, find out if they will let you pay a ransom," said McCaffery. "Check your backup systems, can you default to it, can you also protect the backup from hackers, do you have a backup to your backup? There's some protections there that could definitely be thought through and perhaps improved upon."

Watch the advertising

It is common practice for mortgage lenders to publicly announce what vendors they partner with. Sometimes, third-party vendors will advertise the rave reviews they've received from mortgage lenders using their products.

That practice needs to stop, argues McCaffrey. Advertising what company is linked with another can create vulnerabilities.

"Companies like to put on their website, who their customers are, it's a way for you to build brand trust," she said. "But guess who else is looking at that information? Hackers are looking at that information and they're seeing hundreds of fortune 500 companies that you've listed on your website, and they're thinking to themselves, 'here's a pay day.'"

"So I think this practice personally, is not a great one. I think what we should be doing is saying if you're interested in my product, I'll give you my customer list after we engage and it's done using a more secure method," McCaffrey added. "It would be very easy for an attacker to say well this one company supports some companies that we should go after because there's going to be a high pay day for me."