Whether it’s refining your business model, mastering new technologies, or discovering strategies to capitalize on the next market surge, Inman Connect New York will prepare you to take bold steps forward. The Next Chapter is about to begin. Be part of it. Join us and thousands of real estate leaders Jan. 22-24, 2025.
The nation’s biggest nonbank mortgage servicer has agreed to pay a $20 million fine to settle allegations that its cybersecurity practices were deficient and for not fully cooperating with state regulators following a 2021 data breach that impacted 5.8 million customers.
In addition to the fine, Bayview Asset Management LLC and loan servicing affiliates Lakeview Loan Servicing, Community Loan Servicing and Pingora Holdings agreed to implement a corrective plan to better protect consumer data in a settlement with 53 state financial regulatory agencies announced Wednesday.
KC Mohseni
“Lenders and servicers have a responsibility to protect consumer data and work with state regulators when a breach, intentional or otherwise, occurs” KC Mohseni, acting commissioner of the California Department of Financial Protection and Innovation, said in a statement. “California was proud to help lead the effort alongside partner states and the Conference of State Bank Supervisors in holding Bayview Asset Management accountable for the data breach and to correct identified cyber security deficiencies.”
In a statement, Bayview Asset Management said the settlement “relates to an investigation into an incident that occurred more than three years ago, where a criminal threat actor gained unauthorized access to our systems. We are pleased to put this matter behind us.”
According to a Dec. 31 consent order, the cybersecurity breach began on Oct. 11, 2021, when an employee at Bayview or one of its loan servicing affiliates unknowingly downloaded malware during an internet search.
The malware remained dormant until launching additional malware two weeks later, and from Oct. 27 through Dec. 7, 2021, a “criminal threat actor” was able to extract data — including personally identifiable information about clients that could potentially be used to steal their identity — from the company’s network.
Bayview and its subsidiaries made their initial required consumer notifications over a period of several months after the incident, and offered notified affected customers free consumer credit and identity theft monitoring, state regulators acknowledged.
But even though Bayview and its subsidiaries notified “numerous state and federal regulators and key counterparties about the incident,” not all state mortgage regulators were informed, prompting a “multi-state cybersecurity examination” launched on April 1, 2022, regulators said.
In a May 4, 2023, report, examiners employed by California, Florida, Maryland and Washington state mortgage regulators said they found deficient IT and cybersecurity practices including insufficient IT patch management, insufficient centralized IT vulnerability remediation monitoring and enterprise reporting, insufficient IT inventory tracking, and failure to appropriately encrypt certain personally identifiable information.
Furthermore, Bayview and its subsidiaries “did not initially fully and completely comply with the examination authority of the state mortgage regulators,” examiners said, withholding information they claimed was privileged.
State regulators said they “are entitled to access privileged and confidential information” in the course of such investigations, including assessment and root cause reports, which they treat as confidential supervisory information.
Hackers have targeted hundreds of businesses and government agencies in recent years, in some cases taking over networks and demanding ransoms to restore access. Real estate and mortgage companies have not been immune.
The nation’s two largest title insurers — Fidelity National Financial and First American Financial — were forced to shut down their systems after security breaches in late 2023, and mortgage servicing giant Mr. Cooper notified nearly 15 million past and current customers that their personal information may have been compromised in an October 2023 data breach.
A ransomware group known as Blackcat, ALPHV or Noberus, has allegedly infiltrated the computer networks of more than 1,000 victims, “including networks that support U.S. critical infrastructure,” the Department of Justice and FBI warned in a Dec. 19, 2023 bulletin.
In an advisory issued the same day, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) detailed steps companies should take to protect against ransomware attacks.
Get Inman’s Mortgage Brief Newsletter delivered right to your inbox. A weekly roundup of all the biggest news in the world of mortgages and closings delivered every Wednesday. Click here to subscribe.
