Scotsman Guide > News > January 2016 > News Story

 Enter your e-mail address and password below.


Forgot your password? New User? Register Now.

News Archives

Subscribe icon Subscribe to our weekly e-newsletter, Top News.

Cybercriminals will increasingly target mortgage industry, security expert Jeff Bernstein says

The rising tide of cyber attacks by hackers, online criminals and international terrorists was treated as an “existential threat” to mortgage companies by panelists at the Mortgage Bankers Association annual convention in San Diego this past October. Jeff Bernstein, managing director of the New York City-based information security firm T&M Protection Resources, spoke with Scotsman Guide News about the threat and how mortgage companies are fighting back.                            

Who is targeting these systems?

Jeff BernsteinThere is so much information that is gathered by mortgage bankers and mortgage lenders. When homeowners apply for a mortgage, they will usually ask for driver licenses and social security cards, tax returns, bank statements, confidential credit-report information. Because of the plethora of information being collected, the mortgage banking sectors and the companies that make these loans are really coming under fire. What type of attackers are out there? They are fairly sophisticated. These aren’t your typical script kitties that are running exploits just for the fun of it. These are sophisticated attackers that sell information in the black marketplaces online. They say a typical identity is worth thousands today. Because the information that is gathered during the process of a typical loan, this area is becoming more of a target.

What sort of companies are being targeted?

I would say any connected company is a target of these types of attacks. They are big banks. We saw a breach last year with HSBC Mortgage. We also saw smaller companies, or at least smaller compared to the top-tier banks. DHI Mortgage was one. We have also seen some of the builders that carry mortgages come under attack. It really is a wide range of companies. More and more we are seeing these type of attacks targeted at the mortgage industry. It is not just the mortgage company that comes into contact with the consumer data.  It is also their business partners. A typical loan will include other parties. There will be attorneys involved, loan servicers, title companies, insurance companies, and a company that collects consumer data is only as secure as its weakest partner.

How much damage have these attacks done to companies?

It is in the billions of dollars. When you look at these type of attacks, they are very costly and difficult to recover from. Attacks can lead to identity theft, loss or leakage of data, fraud, theft of funds, theft of property, intellectual property, sabotage. It is always disrupting to the business. At the top level, the most disruptive part is the damage to the brand. When a consumer works with a mortgage lender, it is one of these trusted relationships. If you are out there in the public as one of these companies that has been compromised, that is going to be a tremendous blow to your brand and your business.

How far along are companies in protecting themselves?

We feel the industry is moving in the right direction. It is not moving fast enough, and the reason is that people are doing a lot of business online and using these simple devices, the Smartphones, the tablets. Companies that are providing these services are trying to make it as convenient [as possible] for the user to visit their brand, and to submit their information. We are making it easier and easier for consumers to visit a site and provide their information and apply for mortgages, but typically it is coming at the cost of security. There are quite a few companies that are doing things proactively to protect their data and to improve their computing environments, but there are also companies that don’t pay attention to security properly until after a breach has happened.

What has the government’s position been on this?

Although we haven’t seen a lot of regulation, there is a lot of talk about it. We’ve seen that at the state and federal regulation levels. And there are a lot of very impressive information-security assessment-and-assurance frameworks. The leading one right now is NIST, which is the National Institute of Standards and Technology. They have something called the cybersecurity framework. The companies that we see working to improve their cybersecurity proactively typically follow the NIST framework. It works out a lot of different controls for companies and helps those companies identify where the gaps are, so they can improve their security postures.

Do you think the number of these attacks is going to increase?

The attackers are increasing in numbers, the attacks are becoming more prevalent and easier to deliver. So, we don’t see any down trend in this. There was a recent interview with James Comey, the current FBI director, that really resonated with me. He said that people should treat their e-mail box like they treat their home. If somebody knocked on your door at 2 in the morning, you wouldn’t just open the door and let them in. You would ask who it is, look out the window and try to vet who it was. The problem today with security is that people will receive a message, they click on a link, they open an attachment, they really don’t think where these things are coming from. It is important to know the source of these messages. It is not just e-mails. It is anything with instant messaging, social media. Most security compromises happen because somebody is doing something that they shouldn’t do. They open a link, they open an attachment from an e-mail from a dubious source. Once they do that, a malicious payload is in their system and that could lead to catastrophe. 


Questions? Contact at (425) 984-6017 or

Get the latest news and articles from Scotsman Guide straight to your inbox.

Send me the following e-mails:

Learn more about Scotsman Guide e-mails

Thank you for signing up to receive e-mails from Scotsman Guide.

A confirmation e-mail has been sent to the address you provided.

For questions regarding your e-mail subscriptions please contact or call (800) 297-6061.

Fins A Lender Post a Loan
Residential Find a Lender Commercial Find a Lender
Follow Us:Visit Scotsman Guide Facebook pageVisit Scotsman Guide LinkedIn pageVisit Scotsman Guide Twitter page


© 2019 Scotsman Guide Media. All Rights Reserved.  Terms of Use  |  Privacy Policy