Buying a home is a complicated process that involves sharing sensitive information with multiple people. And the latest major data leak highlights the risk consumers take on when they share that information.
Roughly 885 million mortgage-related files stretching back over a decade were exposed by First American Financial Corp., one of the country’s largest title insurance companies, thanks to a flaw in the design of a website that stored the files.
The files, which could accessed if someone had the proper URL, contained a wide array of personal information for parties to thousands of real-estate transactions, including bank-account numbers and statements, mortgage and tax records, Social Security Numbers, wire-transaction receipts, and driver’s license images.
First American confirmed that the information was leaked and said it rectified the situation once it was notified of it. The company also said it has hired an outside forensic firm to investigate whether any customer information was compromised due to the security flaw.
So far it does not appear that there was any large-scale access to the information, according to the company, but if that changes First American said it will notify consumers and provide credit-monitoring services.
“We deeply regret the concern this defect has caused,” said Dennis J. Gilmore, chief executive officer at First American Financial Corporation. “We are thoroughly investigating this matter and are fully committed to protecting the security, privacy and confidentiality of the information entrusted to us by our customers.”
This is not the first time this year that a data breach involved mortgage documents. In January, news site TechCrunch revealed that some 54,000 mortgage borrowers had their financial data exposed by Ascension, a financial data firm that converts paper documents into computer-readable files. Among those affected included past customers of Wells Fargo, Citigroup, and Capital One.
While major data breaches like these attract headlines, many consumers nationwide have fallen victim to much simpler, email-based scams, which involved hacked or spoofed email accounts, losing thousands of dollars in the process.
In some cases, scammers will pose as real-estate agents requesting money for a down payment. In other instances, they will dupe unsuspecting consumers into handing over the money for closing from their escrow account by pretending to be a title insurance firm or hacking into their systems.
“Business email compromise can happen to anyone involved in the transaction,” said Katie Johnson, general counsel and chief member experience officer at the National Association of Realtors.
Here are steps that consumers can — and should — take when buying a home to ensure their personal information and money are protected.
Make sure your cyber house is in order. A lot of sensitive information will be shared throughout the process of buying a home and getting a mortgage. Now is a good time to ensure that all of that information is well-protected, Johnson said. This includes changing passwords to make them more secure and enabling two-factor authentication whenever possible. And since you can’t freeze your credit during the mortgage process, it’s not a bad idea to sign up for credit-monitoring or identity-theft protection services.
Ask every company how they will protect your data. Not all companies have the same policies when it comes to cybersecurity — while banks may be subject to stringent federal oversight, the same is not true of smaller mom-and-pop real-estate agencies or title insurers. Before going with a certain company, consumers should find out how they protect information — for instance, do they store documents in encrypted databases?
Avoid sending documents or other sensitive information over email. Many wire-fraud schemes involve hacked or spoofed email addresses. If a real-estate agent, lender or insurer asks for sensitive information over email, consumers should call them to double-check the email is really from them, Johnson said. If possible, consumers should opt to deliver information in person, verbally over the phone or through a secure online portal rather than over email.