Can Data Breaches Be Expected From Bankrupt Mortgage Lenders?

Tim Maliyil

The stock market is in a tumult. Actually, it has been for about a year, ever since the subprime fiasco (anyone take a look at Moody's performance over the past year?) Now that that particular issue has been beaten to death, other mortgage related issues are cropping up. Most of the stuff covered in the media is financial in nature, but some of those mortgage related issues do concern information security.

It's no secret that there are plenty of companies in the US that discard sensitive documents by dumping them unceremoniously: leave it by the curb, drive it to a dumpster, heave it over the walls of abandoned property, and other assorted mind boggling insecure practices. In fact, MSNBC has an article on this issue, and names numerous bankrupt mortgage companies whose borrowers' records were found in dumpsters and recycling centers. The information on those documents include credit card numbers and SSNs, as well as addresses, names, and other information needed to secure a mortgage.

Since the companies have filed for bankruptcy and are no more, the potential victims involved have no legal recourse, and are left to fend for themselves. In a way, it makes sense that companies that have filed for bankruptcy are behaving this way. (Not that I'm saying this is proper procedure.) For starters, if a company does wrong, one goes after the company; however, the company has filed for bankruptcy, it is no more, so there's no one to "go after." In light of the company status, this means that the actual person remaining behind to dispose of things, be they desks or credit applications, can opt to do whatever he feels like. He could shred the applications. He could dump them nearby. He could walk away and let the building's owner take care of them. What does he care? It's not as if he's gonna get fired.

Also, proper disposal requires either time, money, or both. A bankrupt company doesn't have money. It may have time, assuming people are going to stick around, but chances are their shredder has been seized by creditors. People are not going to stick around to shred things by hand, literally.

Aren't there any laws regulating this? Apparently, such issues are covered by FACTA, the Fair and Accurate Credit Transactions Act, and although its guidelines require that "businesses to dispose of sensitive financial documents in a way that protects against 'unauthorized access to or use of the information'" [msnbc.com], it stops short of requiring the physical destruction of data. I'm not a lawyer, but perhaps there's enough leeway in the language for one to go around dropping sensitive documents in dumpsters?

Like I mentioned before, inappropriate disposal of sensitive documents has been going on forever; I'm pretty sure this has been a problem since the very first mortgage was issued. My personal belief is that most companies would act responsibly and try to properly dispose of such information. But, this may prove to be a point of concern as well because of widespread misconceptions of what it means to protect data against unauthorized access.

What happens if a company that files for bankruptcy decides to sell their company computers to pay off creditors? Most people would delete the information found in the computer, and that's that-end of story. Except, it's not. When files are deleted, the actual data still resides in the hard disks; it's just that the computer's operating system doesn't have a way to find the information anymore. Indeed, this is how retail data restoration applications such as Norton are able to recover accidentally deleted files.

Some may be aware of this and decide to format the entire computer before sending it off to the new owners. The problem with this approach is the same as deleting files: data recovery is a cinch with the right software. Some of them retail for $30 or less-as in free. So, the sensitive data that's supposed to be deleted can be recovered, if not easily, at least cheaply-perhaps by people with criminal interests.

Am I being paranoid? I don't think so. I've been tracking fraud for years now, and I can't help but conclude that the criminal underworld has plenty of people looking to be niche operators, not to mention that there are infinitesimal ways of defrauding people (look up "salad oil" and "American Express," for an example). An identification theft ring looking to collect sensitive information from bankrupt mortgage dealers wouldn't surprise me, especially in an environment where such companies are dropping left and right.

The economics behind it make sense as well. A used computer will retail anywhere from $100 to $500. The information in it, if not wiped correctly, will average many times more even if you factor in the purchase of data recovery software. Criminals have different ways of capitalizing on personal data, ranging from selling the information outright to engaging in something with better returns.

Is there a better way to protect oneself? Whole disk encryption is a way to ensure that such problems do not occur: One can just reformat the encrypted drive itself to install a new OS; the original data remains encrypted, so there's no way to extract the data. Plus, the added benefit is that the data is protected in the event that a computer gets lost or stolen. However, commonsense dictates that encryption is something ongoing concerns sign up for, not businesses about to go bankrupt. My guess is that sooner or later we'll find instances of data breaches originating from equipment being traced back to bankrupt mortgage dealers.

The stock market is in a tumult. Actually, it has been for about a year, ever since the subprime fiasco (anyone take a look at Moody's performance over the past year?) Now that that particular issue has been beaten to death, other mortgagerelated issues are cropping up. Most of the stuff covered in the media is financial in nature, but some of those mortgagerelated issues do concern information security.

It's no secret that there are plenty of companies in the US that discard sensitive documents by dumping them unceremoniously: leave it by the curb, drive it to a dumpster, heave it over the walls of abandoned property, and other assorted mindboggling insecure practices. In fact, MSNBC has an article on this issue, and names numerous bankrupt mortgage companies whose borrowers' records were found in dumpsters and recycling centers. The information on those documents include credit card numbers and SSNs, as well as addresses, names, and other information needed to secure a mortgage.

Since the companies have filed for bankruptcy and are no more, the potential victims involved have no legal recourse, and are left to fend for themselves. In a way, it makes sense that companies that have filed for bankruptcy are behaving this way. (Not that I'm saying this is proper procedure.) For starters, if a company does wrong, one goes after the company; however, the company has filed for bankruptcy, it is no more, so there's no one to "go after." In light of the company status, this means that the actual person remaining behind to dispose of things, be they desks or credit applications, can opt to do whatever he feels like. He could shred the applications. He could dump them nearby. He could walk away and let the building's owner take care of them. What does he care? It's not as if he's gonna get fired.

Also, proper disposal requires either time, money, or both. A bankrupt company doesn't have money. It may have time, assuming people are going to stick around, but chances are their shredder has been seized by creditors. People are not going to stick around to shred things by hand, literally.

Aren't there any laws regulating this? Apparently, such issues are covered by FACTA, the Fair and Accurate Credit Transactions Act, and although its guidelines require that "businesses to dispose of sensitive financial documents in a way that protects against 'unauthorized access to or use of the information'" [msnbc.com], it stops short of requiring the physical destruction of data. I'm not a lawyer, but perhaps there's enough leeway in the language for one to go around dropping sensitive documents in dumpsters?

Like I mentioned before, inappropriate disposal of sensitive documents has been going on forever; I'm pretty sure this has been a problem since the very first mortgage was issued. My personal belief is that most companies would act responsibly and try to properly dispose of such information. But, this may prove to be a point of concern as well because of widespread misconceptions of what it means to protect data against unauthorized access.

What happens if a company that files for bankruptcy decides to sell their company computers to pay off creditors? Most people would delete the information found in the computer, and that's that-end of story. Except, it's not. When files are deleted, the actual data still resides in the hard disks; it's just that the computer's operating system doesn't have a way to find the information anymore. Indeed, this is how retail data restoration applications such as Norton are able to recover accidentally deleted files.

Some may be aware of this and decide to format the entire computer before sending it off to the new owners. The problem with this approach is the same as deleting files: data recovery is a cinch with the right software. Some of them retail for $30 or less-as in free. So, the sensitive data that's supposed to be deleted can be recovered, if not easily, at least cheaply-perhaps by people with criminal interests.

Am I being paranoid? I don't think so. I've been tracking fraud for years now, and I can't help but conclude that the criminal underworld has plenty of people looking to be niche operators, not to mention that there are infinitesimal ways of defrauding people (look up "salad oil" and "American Express," for an example). An identification theft ring looking to collect sensitive information from bankrupt mortgage dealers wouldn't surprise me, especially in an environment where such companies are dropping left and right.

The economics behind it make sense as well. A used computer will retail anywhere from $100 to $500. The information in it, if not wiped correctly, will average many times more even if you factor in the purchase of data recovery software. Criminals have different ways of capitalizing on personal data, ranging from selling the information outright to engaging in something with better returns.

Is there a better way to protect oneself? Whole disk encryption is a way to ensure that such problems do not occur: One can just reformat the encrypted drive itself to install a new OS; the original data remains encrypted, so there's no way to extract the data. Plus, the added benefit is that the data is protected in the event that a computer gets lost or stolen.

However, commonsense dictates that encryption is something ongoing concerns sign up for, not businesses about to go bankrupt. My guess is that sooner or later we'll find instances of data breaches originating from equipment being traced back to bankrupt mortgage dealers.