Security Glitch Reveals Info Onlinegreenspun.com : LUSENET : Grassroots Information Coordination Center (GICC) : One Thread
Nov 15, 2000 6:17 PM
WASHINGTON (AP) - A security breach in the software used by many mortgage brokers caused at least 700 Americans' loan applications - including Social Security numbers - to be divulged on the Internet, officials said Wednesday.
Though quickly rectified, the breach should send a warning through an industry that now processes one of every three mortgage applications electronically using software made by California-based Contour Software, security and loan experts said.
``It's of great concern to us,'' said Tom Lovell, president of AMEX Mortgage in Tempe, Ariz., a mortgage broker whose customers' applications were divulged on the World Wide Web because of the software problem.
``We've been evaluating new services, and this gives us more cause for that,'' he said.
The breach, discovered by a computer security firm, angered homeowner Ronald Johnson, who comparison-shopped for mortgages online and learned that his application was visible on the Internet. It included his and his wife's Social Security numbers, lists of assets and work history.
``I really don't buy anything online, because I'm afraid if I put my credit card number on there it's going to be all over the world,'' said Johnson from his Fountain Hills, Ariz., home.
``But when we applied for a loan for this house, I thought it would be a good time to use the Web. I guess I was wrong about that, too,'' said Johnson, who learned about the problem from The Associated Press.
A Contour Software spokesman called the problem ``a rarity'' and said the application would be difficult to locate on the Internet. Spokesman Scott Cooley blamed a disgruntled former employee, who turned off security settings for a computer directory where the loan applications were stored.
``Keep in mind that it would have been impossible to find this directory without knowing it by name,'' Cooley said.
Cooley said the problem was fixed and appears to have involved at least 700 customers from at least 27 mortgage brokers who use the company's software.
As of late Wednesday afternoon, the loan applications were no longer visible on the Internet. Cooley said he didn't know how long the information was available before the security firm discovered it.
A representative of New York-based SecureFront Technologies said the company discovered the problem during an authorized security audit for a regional bank in Pennsylvania.
``We were surprised when we discovered that we were able to browse a number of directories with only a Web browser and without any passwords,'' said SecureFront CEO Albert Lee, who performed the initial test.
``Doing a brief search on the Web, we were able to identify at least 27 other banks and lenders that are affected by the same problem,'' Lee said.
The Mortgage Bankers Association of America says Contour's software processed almost 2 million home loans in 1999 totaling $228 billion, part of marked explosion in online home buying because of the Internet's ease in comparison shopping for loans. The total includes applications taken online and off line.
MBAA spokesman Dave Warner said the growth has stalled this year, because potential homeowners are unwilling to fill out long applications online and also harbor their own security concerns.
AMEX Mortgage stopped taking online applications six months ago.
PSC Mortgage Group in Los Angeles has used Contour Software's products for years and verified that information found online belonged to their customers.
``That's a very big deal. It's very, very disturbing,'' said Klara Soros, operational manager at PSC Mortgage Group.
Johnson, the customer surprised to learn his assets and other private information were in plain view on the Internet, said he'd never had trouble with identity theft or mysterious credit card charges before. Now he's concerned.
``There's some information out there that could get me in a lot of trouble. I wish I knew what I could do to get it off of there,'' Johnson said. ``I don't know what to do.''
-- Doris (firstname.lastname@example.org), November 16, 2000