A stark majority of mortgage lenders large and small risk their clients’ financial information falling into the wrong hands, according to one cybersecurity firm’s investigation.
Over 70% of mortgage lenders had information sharing practices in place that put their financial and personal data of their clients at risk, says a recent report from HALOCK Security Labs.
HALOCK investigated 63 U.S. mortgage lenders and found that over 45 of them allowed applicants to send personal and financial information over unencrypted email as email attachments.
The cybersecurity firm also discovered that eight of the eleven top U.S. lenders allowed the same unsecure practices as smaller lenders.
Such practices included faxing and mail-in options to transmit sensitive data such as tax documents and W-2’s.
The investigation found that nearly 70% of the surveyed lenders encouraged faxing sensitive data, while 40% provided a postal mail option. Only 12% of lenders offered a secure email portal.
When asked why a secure email portal was not offered to applicants, several of the lenders surveyed by HALOCK responded that it was a matter of that the customer was “most comfortable with.”
“Oftentimes it was easier to have my clients send documents like W-2’s through email because everyone has access to an email account,” said one former mortgage lender HALOCK quoted anonymously. “Most of us [lenders] didn’t want to take the time to explain what a secure portal was and how to use it. Everyone understands what email is.
But email is not as secure as some might think, suggests Graham Cluley, publisher of Graham Cluley Security News, to HALOCK.
“Email by its very nature is insecure: 99.9% of is is sent unencrypted,” said Cluley. “If it was invented today, no one would use it. Emailing unencrypted documents ‘in the clear’ creates a potential chain of issues.”
While the cost of boosting security measures might be an issue for some lenders, the extra effort of using a secure portal can pay off.
“Any type of weak link in a system involving sensitive information exposes people to unnecessary risk,” says Terry Kurzynski, senior partner at HALOCK. “It takes months to recover from an identity theft and minutes to log into a secure portal. Do the math.”
Written by Jason Oliva