Failure to Report Breach Costs Mortgage Lender $1.5m

An American mortgage lender has shelled out $1.5m to resolve allegations that it violated the New York Department of Financial Services (NYDFS) Cybersecurity Regulation. 

Residential Mortgage Services, Inc. (RMS), which is headquartered in South Portland, Maine, was accused of failing to report a data breach that occurred in 2019. 

The breach was uncovered during an investigation of RMS carried out in July 2020 by the NYDFS. The department found evidence that “a substantial amount of sensitive personal data” had been exposed after an RMS employee became the victim of a phishing attack.

By clicking on a malicious hyperlink on March 5, 2019, the employee unknowingly gave a cyber-criminal access to their email account

Multi-factor authentication had been implemented at RMS, however the employee responded to four separate access alerts sent from the MFA application to their smartphone on March 5 by clicking their approval. 

The following day, after the fifth such prompt for authentication, the employee notified RMS’s IT staff of the anomalous activity.

The NYDFS found evidence that RMS chose to keep the breach a secret and did not look into what impact it may have had. 

“Until prompted to do so by DFS in 2020, RMS failed to conduct an investigation and identify the consumer data exposed,” stated the department.

A further finding of the NYDFS investigation was that RMS had no comprehensive cybersecurity risk assessment in place despite being obliged to under the Cybersecurity Regulation.

“It is of paramount concern to protect all consumers as cyber threats continue to surge during a vulnerable time,” said Superintendent of Financial Services Linda Lacewell.  

“DFS will continue to take nation-leading actions to ensure that our licensees fulfill their cybersecurity duties, safeguarding the private data of their New York customers, and all of the customers they serve, no matter where they reside.”

Under the terms of the settlement reached on March 3 between RMS and the NYDFS, RMS has agreed pay $1.5m and to improve its existing cybersecurity program so that it is in full compliance with the Cybersecurity Regulation.

RMS operates in 21 American states including New York.

Leave a Reply