Data Breaches From Bankrupt Mortgage Lenders

Tim Maliyil

The stock market is in a tumult. Actually, it has been for about a year, ever since the subprime fiasco (anyone take a look at Moody’s performance over the past year?) Now that that particular issue has been beaten to death, other mortgage related issues are cropping up. Most of the stuff covered in the media is financial in nature, but some of those mortgage related issues do concern information security.

It’s no secret that there are plenty of companies in the US that discard sensitive documents by dumping them unceremoniously: leave it by the curb, drive it to a dumpster, heave it over the walls of abandoned property, and other assorted mind boggling insecure practices. In fact, MSNBC has an article on this issue, and names numerous bankrupt mortgage companies whose borrowers’ records were found in dumpsters and recycling centers. The information on those documents include credit card numbers and SSNs, as well as addresses, names, and other information needed to secure a mortgage.

Since the companies have filed for bankruptcy and are no more, the potential victims involved have no legal recourse, and are left to fend for themselves. In a way, it makes sense that companies that have filed for bankruptcy are behaving this way. (Not that I’m saying this is proper procedure.) For starters, if a company does wrong, one goes after the company; however, the company has filed for bankruptcy, it is no more, so there’s no one to “go after.” In light of the company status, this means that the actual person remaining behind to dispose of things, be they desks or credit applications, can opt to do whatever he feels like. He could shred the applications. He could dump them nearby. He could walk away and let the building’s owner take care of them. What does he care? It’s not as if he’s gonna get fired.

Also, proper disposal requires either time, money, or both. A bankrupt company doesn’t have money. It may have time, assuming people are going to stick around, but chances are their shredder has been seized by creditors. People are not going to stick around to shred things by hand, literally.

Aren’t there any laws regulating this? Apparently, such issues are covered by FACTA, the Fair and Accurate Credit Transactions Act, and although its guidelines require that “businesses to dispose of sensitive financial documents in a way that protects against ‘unauthorized access to or use of the information’” [msnbc.com], it stops short of requiring the physical destruction of data. I’m not a lawyer, but perhaps there’s enough leeway in the language for one to go around dropping sensitive documents in dumpsters?

Like I mentioned before, inappropriate disposal of sensitive documents has been going on forever; I’m pretty sure this has been a problem since the very first mortgage was issued. My personal belief is that most companies would act responsibly and try to properly dispose of such information. But, this may prove to be a point of concern as well because of widespread misconceptions of what it means to protect data against unauthorized access.

What happens if a company that files for bankruptcy decides to sell their company computers to pay off creditors? Most people would delete the information found in the computer, and that’s that-end of story. Except, it’s not. When files are deleted, the actual data still resides in the hard disks; it’s just that the computer’s operating system doesn’t have a way to find the information anymore. Indeed, this is how retail data restoration applications such as Norton are able to recover accidentally deleted files.

Some may be aware of this and decide to format the entire computer before sending it off to the new owners. The problem with this approach is the same as deleting files: data recovery is a cinch with the right software. Some of them retail for $30 or less-as in free. So, the sensitive data that’s supposed to be deleted can be recovered, if not easily, at least cheaply-perhaps by people with criminal interests.

Am I being paranoid? I don’t think so. I’ve been tracking fraud for years now, and I can’t help but conclude that the criminal underworld has plenty of people looking to be niche operators, not to mention that there are infinitesimal ways of defrauding people (look up “salad oil” and “American Express,” for an example). An identification theft ring looking to collect sensitive information from bankrupt mortgage dealers wouldn’t surprise me, especially in an environment where such companies are dropping left and right.

The economics behind it make sense as well. A used computer will retail anywhere from $100 to $500. The information in it, if not wiped correctly, will average many times more even if you factor in the purchase of data recovery software. Criminals have different ways of capitalizing on personal data, ranging from selling the information outright to engaging in something with better returns.

Is there a better way to protect oneself? Whole disk encryption is a way to ensure that such problems do not occur: One can just reformat the encrypted drive itself to install a new OS; the original data remains encrypted, so there’s no way to extract the data. Plus, the added benefit is that the data is protected in the event that a computer gets lost or stolen. However, commonsense dictates that encryption is something ongoing concerns sign up for, not businesses about to go bankrupt. My guess is that sooner or later we’ll find instances of data breaches originating from equipment being traced back to bankrupt mortgage dealers.

The stock market is in a tumult. Actually, it has been for about a year, ever since the subprime fiasco (anyone take a look at Moody’s performance over the past year?) Now that that particular issue has been beaten to death, other mortgagerelated issues are cropping up. Most of the stuff covered in the media is financial in nature, but some of those mortgagerelated issues do concern information security.

It’s no secret that there are plenty of companies in the US that discard sensitive documents by dumping them unceremoniously: leave it by the curb, drive it to a dumpster, heave it over the walls of abandoned property, and other assorted mindboggling insecure practices. In fact, MSNBC has an article on this issue, and names numerous bankrupt mortgage companies whose borrowers’ records were found in dumpsters and recycling centers. The information on those documents include credit card numbers and SSNs, as well as addresses, names, and other information needed to secure a mortgage.

Since the companies have filed for bankruptcy and are no more, the potential victims involved have no legal recourse, and are left to fend for themselves. In a way, it makes sense that companies that have filed for bankruptcy are behaving this way. (Not that I’m saying this is proper procedure.) For starters, if a company does wrong, one goes after the company; however, the company has filed for bankruptcy, it is no more, so there’s no one to “go after.” In light of the company status, this means that the actual person remaining behind to dispose of things, be they desks or credit applications, can opt to do whatever he feels like. He could shred the applications. He could dump them nearby. He could walk away and let the building’s owner take care of them. What does he care? It’s not as if he’s gonna get fired.

Also, proper disposal requires either time, money, or both. A bankrupt company doesn’t have money. It may have time, assuming people are going to stick around, but chances are their shredder has been seized by creditors. People are not going to stick around to shred things by hand, literally.

Aren’t there any laws regulating this? Apparently, such issues are covered by FACTA, the Fair and Accurate Credit Transactions Act, and although its guidelines require that “businesses to dispose of sensitive financial documents in a way that protects against ‘unauthorized access to or use of the information’” [msnbc.com], it stops short of requiring the physical destruction of data. I’m not a lawyer, but perhaps there’s enough leeway in the language for one to go around dropping sensitive documents in dumpsters?

Like I mentioned before, inappropriate disposal of sensitive documents has been going on forever; I’m pretty sure this has been a problem since the very first mortgage was issued. My personal belief is that most companies would act responsibly and try to properly dispose of such information. But, this may prove to be a point of concern as well because of widespread misconceptions of what it means to protect data against unauthorized access.

What happens if a company that files for bankruptcy decides to sell their company computers to pay off creditors? Most people would delete the information found in the computer, and that’s that-end of story. Except, it’s not. When files are deleted, the actual data still resides in the hard disks; it’s just that the computer’s operating system doesn’t have a way to find the information anymore. Indeed, this is how retail data restoration applications such as Norton are able to recover accidentally deleted files.

Some may be aware of this and decide to format the entire computer before sending it off to the new owners. The problem with this approach is the same as deleting files: data recovery is a cinch with the right software. Some of them retail for $30 or less-as in free. So, the sensitive data that’s supposed to be deleted can be recovered, if not easily, at least cheaply-perhaps by people with criminal interests.

Am I being paranoid? I don’t think so. I’ve been tracking fraud for years now, and I can’t help but conclude that the criminal underworld has plenty of people looking to be niche operators, not to mention that there are infinitesimal ways of defrauding people (look up “salad oil” and “American Express,” for an example). An identification theft ring looking to collect sensitive information from bankrupt mortgage dealers wouldn’t surprise me, especially in an environment where such companies are dropping left and right.

The economics behind it make sense as well. A used computer will retail anywhere from $100 to $500. The information in it, if not wiped correctly, will average many times more even if you factor in the purchase of data recovery software. Criminals have different ways of capitalizing on personal data, ranging from selling the information outright to engaging in something with better returns.

Is there a better way to protect oneself? Whole disk encryption is a way to ensure that such problems do not occur: One can just reformat the encrypted drive itself to install a new OS; the original data remains encrypted, so there’s no way to extract the data. Plus, the added benefit is that the data is protected in the event that a computer gets lost or stolen.

However, commonsense dictates that encryption is something ongoing concerns sign up for, not businesses about to go bankrupt. My guess is that sooner or later we’ll find instances of data breaches originating from equipment being traced back to bankrupt mortgage dealers.

Buying A Home After Bankruptcy

Carrie Reeder

If you have a recent bankruptcy and are looking to buy a home, be careful of unethical or predatory lenders. Whether you are looking online or offline for a mortgage lender, it is becoming increasingly more common that subprime lenders are taking advantage of bad credit borrowers.

Many lenders will take advantage of borrowers with recent bankruptcies and bad credit because they know that the borrowers loan options are limited. Sometimes these lenders will charge excessively high fees, extensive pre-payment penalties on the home or ask for a fee upfront to “process” the loan.

Here are some tips on applying for a mortgage loan after a bankruptcy:

Beware of the Lender Asking For a Fee Upfront – Anytime you are applying for a mortgage loan, the only fee you should ever have to pay is the application fee which covers the cost of the lender pulling your credit application. Some lending scams involve asking for a processing fee of hundreds to thousands to process the loan.

Compare Loan Offers – If you can compare from 3-4 mortgage application quotes then you will know what to expect the current interest rate for subprime mortgage loans to be. If you accept the first mortgage loan offer you have, you may be paying a much higher interest rate than what is reasonable for your credit history.

Get Closing Costs in Writing – Brokers know that if a borrower has bad credit, they are most likely going to be more concerned about getting a reasonable interest rate and just getting approved than making sure they get normal closing costs. This is where many lenders will ding the borrower with credit problems. They will sometimes charge excessive closing cost fees. Get the list of closing costs in writing ahead of time and then do research online to make sure that the costs are reasonable. If the costs are not, go back to the lender and tell them that the closing costs are too high and you will not go through with the loan until they are lowered to be what is normal. The broker will usually comply, because they don’t want the loan to fall through.

Beware Of Predatory Lenders

Jeanette Joy Fisher

In November 2005, Montgomery County, Maryland’s county council enacted legislation to expand the categories of discriminatory lending activities associated with discriminatory housing practices and increased the maximum fine for such activities from $5,000 to $500,000. The council sited practices such as charging inordinate amounts for prepayment penalties, points, and fees; steering borrowers toward more expensive mortgages; and refinancing existing mortgages with new ones that borrowers won’t be able to repay based on their income or credit.

Predatory lenders typically target what’s known as the nonprime mortgage market, where people with blemished credit records try to borrow money for homes in less desirable neighborhoods, which means that it’s often minority groups, such as African-Americans and Latinos, who are the victims of predatory lending practices.

However, February 2006, the American Financial Services Association (AFSA), challenged the ruling, contending that only the state has the power to enact legislation regarding mortgage lending practices–although the AFSA went on record as opposing discriminatory and abusive lending practices. The new law was supposed to take effect the second week in March, but mortgage lender lawyers persuaded a judge to delay the new law, pending a hearing. So it’s yet to be determined if the Montgomery County law will remain on the books.

Regardless of the outcome in Montgomery County, however, predatory lending practices are illegal in most states. The Center for Responsible Lending describes a number of such practices on their website. Some of them include loan flipping, in which the borrower is forced to refinance a loan, sometimes several times, solely for the purpose of generating new fees for the lending institution. Another common practice is insisting that borrowers also purchase such things as credit life insurance or other products–again, primarily designed to generate more income for the lender.

The bottom line is that there are lending institutions that make a great deal of money by charging extra fees to those borrowers who can least afford them, thereby either depriving those borrowers of the American dream of home ownership or, worse yet, setting them up for eventual foreclosure.

As the real estate market slows down and interest rates creep up, it’s more important than ever to become a knowledgeable consumer. Learn the basics of mortgage lending, so you’ll know when you’re being charged too much for a loan or for things you don’t need. Shop around to see what’s available, and then make sure you’re comfortable with your loan payment, because you’ll be paying that amount for many years.