After the latest data hack, should borrowers freeze their credit?

Another massive data breach allegedly involving billions of records could have ramifications for mortgage lenders. 

The breach at National Public Data, a data broker that sells criminal records and background checks, has affected 1.3 million consumers, the company said this month. A cybercriminal warned the trove of personally identifiable information leaked this summer spans 2.9 billion rows of data. 

NPD and advocates from the National Consumer Law Center suggested consumers mull a free credit freeze. Security freezes at the three credit bureaus barring creditors from accessing consumer data could impact a mortgage application in numerous ways, explained Amanda Tucker, chief risk and compliance officer at Atlantic Bay Mortgage Group and board member of the Community Home Lenders of America. 

"That's where consumer outreach and education becomes so important, so the consumer understands the types of loan products or programs that they may look to obtain, and what that looks like from a credit freeze standpoint," she said.

Atlantic Bay didn't work with NPD and hasn't seen any impact from the breach, said Tucker. But given the timing of recent media reports and the scope of the incident, that could change. 

The incident began last December when a third-party actor tried to hack into NPD, the company said in a data breach notification. The swath PII including names, email addresses, phone numbers, Social Security numbers and mailing addresses was subsequently leaked in July.

A hacker known as "USDoD" in April claimed the database spanned 2.9 billion records on U.S. citizens, and attempted to sell the 277 gigabyte file for $3.5 million, according to a consumer lawsuit citing a cybersecurity review. In July, PII for 272 million people was leaked, according to cybersecurity reporter Brian Krebs. 

The data broker advised consumers to closely monitor their financial accounts, place a free fraud alert on their credit files, and consider placing a freeze at Equifax, Experian and Transunion. If a consumer needs a creditor to access their frozen file, they could request a temporary unfreeze from each bureau or remove the freeze permanently. 

If a consumer applies for a mortgage with a credit freeze, the freeze could slow down their approval, said Tucker. If they place it after their loan approval, the freeze could cause delays during the closing process. Consumers have to unfreeze their files themselves. 

The Consumer FInancial Protection Bureau states freezes should be removed free of charge 1 hour after receiving requests via telephone or online, or three business days after receiving a request by mail. 

"That doesn't seem like a long period of time, but if you are a day or two away from closing on your home, that can create significant delays for the consumer," said Tucker. 

Freezes also affect different loan products and programs in different ways. Both Fannie Mae and Freddie Mac seller guides state borrower credit information is acceptable if data is frozen at only one of the three bureaus. U.S. Department of Agriculture-backed mortgage applications meanwhile require all credit to be unfrozen, according to its guidelines. 

Consumers will more often place fraud alerts on their credit files rather than credit freezes, said Tucker. The move requires a lender to contact the consumer to their identity before proceeding. 

Tucker also promoted credit monitoring, services which track changes to accounts on a consumer's credit report. While the services usually charge monthly fees, companies hit by data breaches often offer affected consumers the service free of charge for one to two years. 

"Our focus is on consumer education, understanding how a data breach may impact their credit and application for a mortgage loan, but also how they can protect themselves and mitigate that risk," said Tucker.