Security of Online Mortgage Applications Breached
W A S H I N G T O N, Nov. 16, 2000 -- A security breach in the software used by manymortgage brokers caused at least 700 Americans’ loan applications — including Social Security numbers — to be divulged on the Internet,officials said Wednesday.
Though quickly rectified, the breach should send a warningthrough an industry that now processes one of every three mortgageapplications electronically using software made by California-basedContour Software, security and loan experts said.
“It’s of great concern to us,” said Tom Lovell, president ofAMEX Mortgage in Tempe, Ariz., a mortgage broker whose customers’applications were divulged on the World Wide Web because of thesoftware problem.
“We’ve been evaluating new services, and this gives us morecause for that,” he said.
Consumers Get ScaredThe breach, discovered by a computer security firm, angeredhomeowner Ronald Johnson, who comparison-shopped for mortgagesonline and learned that his application was visible on theInternet. It included his and his wife’s Social Security numbers,lists of assets and work history.
“I really don’t buy anything online, because I’m afraid if Iput my credit card number on there it’s going to be all over theworld,” said Johnson from his Fountain Hills, Ariz., home.
“But when we applied for a loan for this house, I thought itwould be a good time to use the Web. I guess I was wrong aboutthat, too,” said Johnson, who learned about the problem from TheAssociated Press.
Not a Usual OccurenceA Contour Software spokesman called the problem “a rarity” andsaid the application would be difficult to locate on the Internet.Spokesman Scott Cooley blamed a disgruntled former employee, whoturned off security settings for a computer directory where theloan applications were stored.
“Keep in mind that it would have been impossible to find thisdirectory without knowing it by name,” Cooley said.
Cooley said the problem was fixed and appears to have involvedat least 700 customers from at least 27 mortgage brokers who usethe company’s software.
As of late Wednesday afternoon, the loan applications were nolonger visible on the Internet. Cooley said he didn’t know how longthe information was available before the security firm discoveredit.
A representative of New York-based SecureFront Technologies saidthe company discovered the problem during an authorized securityaudit for a regional bank in Pennsylvania.
“We were surprised when we discovered that we were able tobrowse a number of directories with only a Web browser and withoutany passwords,” said SecureFront CEO Albert Lee, who performed theinitial test.
“Doing a brief search on the Web, we were able to identify atleast 27 other banks and lenders that are affected by the sameproblem,” Lee said.
Companies Doubt SoftwareThe Mortgage Bankers Association of America says Contour’ssoftware processed almost 2 million home loans in 1999 totaling$228 billion, part of a marked explosion in online home buyingbecause of the Internet’s ease in comparison shopping for loans.The total includes applications taken online and offline.
MBAA spokesman Dave Warner said the growth has stalled thisyear, because potential homeowners are unwilling to fill out longapplications online and also harbor their own security concerns.
AMEX Mortgage stopped taking online applications six months ago.
PSC Mortgage Group in Los Angeles has used Contour Software’sproducts for years and verified that information found onlinebelonged to their customers.
“That’s a very big deal. It’s very, very disturbing,” said Klara Soros, operational manager at PSC Mortgage Group.
Johnson, the customer surprised to learn his assets and otherprivate information were in plain view on the Internet, said he’dnever had trouble with identity theft or mysterious credit cardcharges before. Now he’s concerned.
“There’s some information out there that could get me in a lotof trouble. I wish I knew what I could do to get it off of there,”Johnson said. “I don’t know what to do.”