Dumped Mortgage Files Invite Identity Theft
Last month, Waldell Thomas, a maintenance worker at Montego Apartments in Atlanta, made a discovery inside the complex’s Dumpster: a cache of 40 boxes of loan files containing Social Security numbers, credit reports and other data on customers of Ameriquest Mortgage Co.
“I said: ‘God, this is people’s personal information,’ ” Mr. Thomas recalls. “What if that had been my information and somebody had come along and got it?”
Privacy experts say this sort of mishap — which leaves borrowers vulnerable to identity theft — is a growing concern in the mortgage industry. The mortgage process has become more complex, with consumer information flowing through the hands of a menagerie of independent brokers, itinerant loan officers, investors and financial middlemen. With the housing downturn forcing many of these firms to sack workers and shut branches, some mortgage files are getting lost in the shuffle, turning up in places like Dumpsters that are easily accessed by scam artists.
“In times of organizational change or chaos, we’re much more likely to see those kinds of leaks — what I call inadvertent disclosures,” Dartmouth College management professor Eric Johnson says.
Experts say that putting numbers on how frequently confidential mortgage data is leaked is difficult, because many breaches go unnoticed. In July, however, Bob Segall, a reporter at WTHR-TV in Indianapolis, tried to get a sense of how bad the problem was around central Indiana. Over three days, he peered into 40 Dumpsters behind loan branches and title companies that handle mortgage documents. In nearly half — 18 — he discovered sensitive information about borrowers.
“You could see their complete financial lives on paper, dating back 20, 30, 40 years,” he said. Among the finds inside the mortgage files: a letter from one borrower’s counselor saying he was doing well in alcohol rehab.
Several borrowers went on camera to express their outrage after Mr. Segall informed them their documents had been tossed in the trash. Among them were Russ Biegel and Harold Webb, who had just bought a house together outside Indianapolis.
“I don’t frequently get telephone calls from investigative reporters,” Mr. Biegel, 54 years old, recalls. “When he told me, I was very shocked. I trusted people I shouldn’t have trusted. You just think that these things are going to be automatically protected and they’re not.”
R.J. Schlecht, a security expert at the Mortgage Bankers Association, says industry players are constantly working to improve safeguards. And while small and midsize players can be vulnerable to security problems, he says, the big lenders that amass most of the consumer data “have the resources and knowledge to be able to provide a lot of controls and mechanisms” to protect borrowers’ privacy.
State and federal authorities have written rules aimed at discouraging breaches that can benefit Dumpster-diving scam artists. Under such rules, lenders and other firms that handle mortgage documents are generally required to hold onto these papers for lengthy periods, and to shred or burn them when they finally discard them.
The Federal Trade Commission and other regulators have begun taking enforcement action. In February, North Carolina’s attorney general fined two mortgage firms in Charlotte for dumping loan files into the trash.
In July, authorities in Hawaii fined a defunct mortgage-escrow firm $10,000 for improperly disposing of mortgage documents. That case arose in March when Jim Kelly, editor of Honolulu’s Pacific Business News, stumbled upon 39 boxes of mortgage documents as he was dropping newspapers at a recycling center.
Mr. Kelly says he almost walked away, but he recalled being a victim of identity theft years ago. He hauled away the boxes and stored them in his garage, making four trips in his wife’s SUV.
Then he tracked down the firm’s former owner, who told Mr. Kelly he had paid a handyman $150 to remove the documents from his basement, where they had been stored in the six years since he had shuttered the company. The state took possession of the documents from Mr. Kelly and shredded them.
In the case of the Ameriquest loan files, DeKalb County, Ga., police have stored the boxes in their evidence room. Deputy Chief Mike Burrows says initial inspection has turned up loans made to buyers in Georgia and Florida dating between the late 1990s and 2005. At this point, he says, no evidence of a crime has emerged, although whoever is responsible could face a civil fine from state bank regulators.
In recent months Ameriquest’s parent, ACC Capital Holdings, has shut down Ameriquest’s loan offices, but it continues to fight a civil case in federal court in Chicago that accuses the company of defrauding borrowers. The lead attorney in the civil action, Jill Bowman, is seeking to subpoena the Georgia documents.
Ameriquest said, “We take the security of our records very seriously.” It said the documents may have been stolen and it’s working with police to determine who took them.
The dangers of identity theft in the mortgage business go beyond Dumpsters. Private information can also leak out via the Internet or when computer disks are taken off premises by employees.
On Sept. 21, Dow Jones Newswires reported that files containing Social Security numbers and other information on 5,208 customers of a Citigroup Inc. unit had been inadvertently downloaded onto an Internet “peer-to-peer” file-sharing network.
Dow Jones Newswires, a unit of Dow Jones & Co., publisher of The Wall Streeet Journal, determined the breach came after a former business analyst for Citigroup’s ABN Amro Mortgage Group joined a file-sharing network where people can share music and video downloads. Old work-related information that she had downloaded onto her personal computer apparently was inadvertently exposed to the network.
After looking into the matter, Citigroup offered one year of free credit monitoring to affected customers. The company said it is “fully committed to physical, electronic and procedural safeguards to protect personal information.”