What to do when your mortgage servicer gets hacked
There’s no gentle way to say this, so we’ll just say it: If you have a mortgage, scammers are trying to steal your personal information. That harsh reality was underscored by the news that hackers hit two large mortgage servicers in rapid succession. In December, Mr. Cooper said thieves had gained access to information about 14.7 million borrowers. Then, in January, LoanDepot disclosed a hack involving 16.6 million customers.
Back-to-back attacks on similar companies are a hallmark of the hacker playbook, says James Lee, chief operating officer at the nonprofit Identity Theft Resource Center. Scammers typically focus their efforts on a corner of the financial industry. “If they’re successful, they’ll mine that vein for a while,” says Lee.
In other words, scammers likely are targeting other mortgage servicers, the companies that collect your monthly payments and manage your escrow for property taxes and insurance. The reason is obvious: Mortgage servicers store vast amounts of sensitive data, including Social Security numbers and bank account data, along with borrowers’ addresses and property details.
If your mortgage servicer is hacked, there are steps you can take to safeguard your data and protect yourself.
What happens when a mortgage servicer gets hacked?
Cyberattacks on financial institutions, including mortgage loan servicers, target sensitive customer data. If thieves nab your personal information, the breach opens the door to identity theft or other fraud. Borrowers might also experience disruptions in the servicing of their mortgages, including difficulties in making payments, receiving accurate account information or resolving issues.
What is the impact of a cyberattack on a mortgage lender’s operations?
A cyberattack can immobilize a mortgage lender’s internal systems, making it difficult for the lender to service loans, process payments or manage customer accounts.
The mortgage lender likely has to spend money to investigate the breach, improve security and recover lost data. What’s more, servicers can face lawsuits or regulatory actions for the breach.
How to protect your data if your mortgage servicer gets hacked
While you can’t prevent a cyberattack on your mortgage servicer, you can take steps to protect your personal data and minimize potential damages. These steps include:
Keep strong passwords for your online accounts. Not long ago, Lee says, eight-character passwords were the gold standard in cybersecurity. Now, though, hackers using artificial intelligence can crack a typical eight-character password in under 30 seconds. The new advice: Use 13-character passwords that include a mix of letters, numbers and special characters. If available, enable two-factor authentication, and change your passwords regularly.
Don’t repeat passwords. It’s not a good idea to reuse passwords from one site or account to another. To keep track of passwords, you can use a password manager — either the one that comes built into your web browser or an add-on service that you pay a monthly fee for.
Watch out for scams. Be wary of phishing attempts, and never provide personal information via email or over the phone unless you initiated the contact. Monitor your accounts for any unusual activities, and immediately report any discrepancies to your mortgage servicer.
What is the role of credit freezes in protecting against identity theft?
Along with the above steps, a credit freeze can be an effective tool in thwarting identity theft. This move restricts access to your credit report, making it more difficult for thieves to open new accounts in your name. If your data has been compromised in a cyberattack, consider placing a credit freeze with each of the three major credit bureaus (Equifax, TransUnion and Experian).
Keep in mind: Remember, if you apply for credit in the future, you'll be rejected unless you lift the freeze.
If your mortgage servicer is the victim of a breach, it might offer support. For instance, Mr. Cooper promised two years of free credit monitoring and identity protection services with TransUnion.
Lee also advises borrowers to consider the equivalent of a credit freeze on their property. One property scam that’s gaining popularity involves a thief filing a phony deed on a property, then taking a loan.
“Scammers can hijack your property, and then be gone before you know what happened,” says Lee. To prevent this, he says, you can file a freeze on your property with your county clerk of courts. You can do this yourself or hire a real estate attorney.
How to manage mortgage payments during a cyberattack
If a cyberattack disrupts your ability to make your mortgage payments, contact your mortgage servicer right away to discuss your options. You may be able to make payments by check or by phone. If you’re unable to make payments because of the hack, set aside the funds anyway. Once the issue is resolved, you’ll need to catch up on payments to avoid late fees or dings to your credit.
Because embattled servicers are known for forgetting things, make sure to document all communications and keep proof of your payments.
FAQ about mortgage loan servicer cyberattacks
In some cases, a mortgage servicer may choose to transfer loans to another servicer after a cyberattack. If this happens, you have a right to be notified. You should receive a transfer notice from your current servicer at least 15 days before the transfer, and a welcome letter from the new servicer within 15 days of the transfer. These notices should include information about the new servicer and the date the new servicer will begin accepting your mortgage payments.
If you spot an error on your mortgage account after a cyberattack, such as incorrect balances or unauthorized charges, write to your mortgage servicer detailing the error. Be sure to include your name, account number and an explanation of the mistake. The Consumer Financial Protection Bureau has a sample complaint letter you can use as a template. Consider sending your letter by certified mail, and keep a copy for your records.
Your servicer must acknowledge your complaint within 30 days and correct the error or explain why it believes the account information is correct within 45 days.
