Cyber Incident Victim: Mortgage Industry Advisory Corporation

On or around April 6, 2023, the Mortgage Industry Advisory Corporation (MIAC) learned of a data security incident impacting its IT network. MIAC, a vendor providing services to Freedom Mortgage Corporation, initiated an investigation into the nature and scope of this cybersecurity event. The investigation determined that an unauthorized party had gained access to MIAC's computer system. The investigation concluded on May 1, 2023, with the confirmation that certain consumer data stored on the company’s computer system was subject to unauthorized access. The specific technical details regarding the method of unauthorized access, the extent of network penetration, or the identity of the threat actor were not disclosed in the available information.

The following day, on May 2, 2023, MIAC formally informed its client, Freedom Mortgage Corporation, of the data breach. This notification indicated that the confidential consumer data entrusted to Freedom Mortgage and stored on MIAC's systems had been compromised. Upon being notified by its vendor, Freedom Mortgage collaborated with MIAC to review the affected files within the MIAC computer system. The purpose of this review was to determine precisely which consumers were impacted and what specific types of their personal information were accessed or acquired by the unauthorized party.

The analysis of the compromised data determined that the breached information varied depending on the individual but included sensitive personally identifiable information. The investigation confirmed that the unauthorized party gained access to consumers’ names and Social Security numbers. The full scope of the breach, including the exact number of affected individuals, was not detailed in the public filing. The data involved was information that had been provided by consumers to Freedom Mortgage in the course of their business relationship, and it was subsequently shared with and stored by the vendor, MIAC, as part of their business operations.

In response to the confirmed data leak, Freedom Mortgage Corporation fulfilled its regulatory obligations by filing a formal notice of data breach with the Massachusetts Office of Consumer Affairs and Business Regulation on May 22, 2023. This filing served as the public confirmation of the incident. Concurrently, data breach notification letters were sent out to all individuals whose information was compromised as a result of the security incident at MIAC. These notifications were sent by MIAC on behalf of Freedom Mortgage. The letters informed potential victims that their names and Social Security numbers were involved in the breach.

As part of its response to mitigate potential harm to the affected individuals, MIAC offered free credit monitoring services to the victims of the breach. This service is a common remedial action intended to help individuals detect any suspicious activity related to their credit profiles that might suggest identity theft or fraud resulting from the exposure of their Social Security numbers. The offering of credit monitoring was detailed in the data breach notification letters sent to impacted consumers.

Freedom Mortgage Corporation is a significant entity in the financial services sector. Founded in 1990 and based in Boca Raton, Florida, the company operates as a large mortgage lender. It offers a wide array of mortgage and refinance options, including government-backed loans such as FHA loans, VA loans, and USDA loans, as well as cash-out refinancing products. The company employs more than 7,000 people and generates annual revenue of approximately $5.2 billion. The incident highlights the risks associated with third-party vendor relationships, where a cybersecurity failure at a service provider can directly impact the customers of its client, in this case, a major mortgage lender. The compromise of Social Security numbers is particularly severe due to the critical role this identifier plays in financial transactions and credit reporting, making affected individuals highly vulnerable to identity theft and financial fraud. The public disclosure of the event was made through a legal filing with a state regulatory body, and subsequent reporting provided the limited known details to a wider audience. The operational impact on Freedom Mortgage's or MIAC's business systems, beyond the data exfiltration, was not disclosed. The incident underscores the chain of responsibility in data protection, where a breach at a vendor necessitates a response and public disclosure from the primary data controller, the company that originally collected the information from consumers.