An American mortgage lender found themselves in sheer trouble after violating the NYDFS cybersecurity regulations. The mortgage lender was fined and resolved these allegations by paying a whopping $1.5M to the New York Department of Financial Services.
The lender, Residential Mortgage Services (RMS), located in South Portland, Maine, was accused and fined for failing to report data breaches which happened in 2019. The investigators unraveled the truth in July 2020 when they found evidence that a massive chunk of sensitive data has been exposed – leaving an RMS employee a cyberattack victim.
Following the attack, the RMS employee received a malicious link on March 5, 2019. The accidental click resulted in data breaching to their email accounts. The attackers succeeded in the cybersecurity violation despite multi-factor authentication.
However, the employee alerted the IT department of the breach, but they took no swift action. NYDFS later concluded that the department kept this secret “On Purpose.”
The department also stated that RMS failed to acknowledge the consumer data breach or the incident leading to the issue. They also stated that RMS followed no security protocols, and their team was not skilled enough for troubleshooting such risk.
The DFS Superintendent Linda Lacewell showed her most profound concern at such a high-level threat and further stated that “It’s highly concerning to safeguard our consumers as we’ve been facing nasty cyberattacks in such challenging times.”
She further concluded that the Department of Financial Services would continue to take such national cyber attacks “seriously.” The department is adamant about ensuring that all licensees comply with the cybersecurity protocols. The NY citizens’ internet safety is the utmost priority of the said department, and they will serve their customers without any interruption.
Residential Mortgage Services and the NYDFS, RMS completed the investigation collaboratively and settled on March 3, 2020. The settlement issued a fine of $1.5M to the accused. The settlement also ordered RMS to improve their cybersecurity program promptly – one that goes in complete compliance with the Cybersecurity Regulation.
RMS currently it’s operates in 21 states, including NYC.
While $1.5M is no small quantity, it’s likely a low amount when compared to the amount RMS makes annually. While I hope it’s not the case, this is likely not going to be a big enough incentive for the company to update their cybersecurity practices including better security awareness training of their personnel.
Why should we care?
Financial lenders collect large amounts of data on their customers, including social security numbers (SSN). This data in the wrong hands can lead to identity theft and can financially ruin the lives of those involved. Identity theft is used by bad actors to open credit cards, and credit accounts under the victims names. Another use that’s been seen and reported on by the IRS is persons working under a stolen identity and not paying enough taxes. The person whose identity was stolen is then responsible for paying those taxes as we can see in the following abc15 news report.